Path Traversal in WordPress Plugin Exposes Files
The National Vulnerability Database has identified a critical path traversal vulnerability, CVE-2026-5710, affecting the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. Versions up to and including 1.3.9.6 are susceptible to arbitrary file reads, scoring a CVSS 7.5 (High).
This flaw stems from the plugin’s failure to properly validate client-supplied mfile[] POST values. It directly appends user-submitted filenames to its upload URL without sanitization or server-side checks. This means an unauthenticated attacker can manipulate the mfile[] parameter with path traversal sequences to read and exfiltrate any file accessible by the web server process. The files are then disclosed as email attachments via outgoing Contact Form 7 emails.
While the vulnerability is severe, its scope is limited to the wp-content folder due to the wpcf7_is_file_path_in_content_dir() function in the main Contact Form 7 plugin. This doesn’t make it any less dangerous for sensitive configurations or data within that directory. Defenders need to understand that this isn’t just a theoretical bug; it’s a direct path to data exfiltration for unauthenticated attackers.
What This Means For You
- If your organization uses the Drag and Drop Multiple File Upload for Contact Form 7 plugin on your WordPress sites, you are exposed. This isn't a complex attack; it's a straightforward path traversal that an unauthenticated attacker can leverage to read arbitrary files from your `wp-content` directory. Prioritize patching this plugin immediately. If a patch isn't available, disable the plugin until you can secure your environment. Audit your web server logs for suspicious access patterns to the `wp-content` directory, especially around Contact Form 7 submissions.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-5710
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5710 | Path Traversal | Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress versions <= 1.3.9.6 |
| CVE-2026-5710 | Arbitrary File Read | Vulnerable function: dnd_wpcf7_posted_data() and dnd_cf7_mail_components() |
| CVE-2026-5710 | Arbitrary File Read | Vulnerable parameter: mfile[] |
| CVE-2026-5710 | Information Disclosure | Files disclosed as email attachments, limited to 'wp-content' folder |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 17, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-6437 — Improper neutralization of argument delimiters in the
CVE-2026-6437 — Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with...
Critical OpenViking Auth Bypass: Unset API Key Grants Full Bot Control
CVE-2026-40525 — OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when...
Firebird Database Vulnerability Exposes Systems to Remote Crashes
CVE-2026-33337 — Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum()...