WordPress Plugin RCE: Drag and Drop File Upload Flaw
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload, affecting versions up to and including 1.3.9.6, according to the National Vulnerability Database. This high-severity flaw (CVSS 8.1) stems from inadequate file type validation when custom blacklist types are configured. Instead of augmenting the default dangerous extension denylist, these custom settings replace it, creating a critical bypass.
Further complicating matters, the wpcf7_antiscript_file_name() sanitization function can be bypassed by using non-ASCII characters in filenames. This combination allows unauthenticated attackers to upload arbitrary files, including PHP files, directly to the server. The consequence is clear: remote code execution (RCE) on affected WordPress instances, a nightmare scenario for any defender.
This isn’t just a theoretical flaw; it’s a direct path to server compromise. Attackers can leverage this to establish persistent access, exfiltrate data, or pivot further into the network. For any organization running WordPress with this plugin, the immediate risk is severe and warrants urgent attention.
What This Means For You
- If your organization uses WordPress with the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin, immediately verify your version. If it's 1.3.9.6 or earlier, you are exposed to unauthenticated remote code execution. Patch this vulnerability NOW. Review your server logs for any suspicious file uploads, especially PHP files, from unauthenticated sources.
Related ATT&CK Techniques
🛡️ Detection Rules
8 rules · 6 SIEM formats8 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-5718
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5718 | RCE | Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress |
| CVE-2026-5718 | RCE | Versions up to, and including, 1.3.9.6 |
| CVE-2026-5718 | Arbitrary File Upload | Insufficient file type validation when custom blacklist types are configured |
| CVE-2026-5718 | Arbitrary File Upload | Bypass of wpcf7_antiscript_file_name() for filenames with non-ASCII characters |
| CVE-2026-5718 | RCE | Unauthenticated attackers can upload arbitrary files (e.g., PHP files) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 17, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-6437 — Improper neutralization of argument delimiters in the
CVE-2026-6437 — Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with...
Critical OpenViking Auth Bypass: Unset API Key Grants Full Bot Control
CVE-2026-40525 — OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when...
Firebird Database Vulnerability Exposes Systems to Remote Crashes
CVE-2026-33337 — Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum()...