What the vulnerability does
01Description
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.
Explanation of Vulnerability in Simple Terms
02Summary
The Drag and Drop File Upload for Contact Form 7 plugin allows attackers to upload files without proper validation. An attacker can upload malicious files to the server, potentially gaining the ability to run code or access sensitive data. All versions up to 1.1.3 are affected. Update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Upload malicious files to the server and potentially run code or access sensitive data.
Potential impact on your site
04Site Impact
Attackers can upload and execute malicious files, compromising your site's security and data.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 24, 2026
CVE published
April 24, 2026
Record updated