What the vulnerability does
01Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
Explanation of Vulnerability in Simple Terms
02Summary
The Drag and Drop Multiple File Upload for Contact Form 7 plugin allows unauthenticated attackers to upload files without proper validation. An attacker can upload malicious files—including executable code—to the server by sending a crafted request. This can lead to remote code execution, data theft, or site compromise. Update to a version newer than 1.3.8.9.
What an attacker can do
03Attacker Capabilities
Upload malicious files (including executable code) to the server without authentication.
Potential impact on your site
04Site Impact
Attackers can run code on your site, steal data, or take full control of your WordPress installation.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 17, 2025
CVE published
April 8, 2026
Record updated