CVE-2026-5364 HIGH

CVE-2026-5364: Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass

Vendor Addonsorg
Product Drag and Drop File Upload for Contact Form 7
Weakness CWE-434 · Unrestricted file upload
Published April 24, 2026
Last update April 24, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.

Explanation of Vulnerability in Simple Terms

02Summary

The Drag and Drop File Upload for Contact Form 7 plugin allows attackers to upload files without proper validation. An attacker can upload malicious files to the server, potentially gaining the ability to run code or access sensitive data. All versions up to 1.1.3 are affected. Update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Upload malicious files to the server and potentially run code or access sensitive data.

Potential impact on your site

04Site Impact

Attackers can upload and execute malicious files, compromising your site's security and data.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated