Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.6 – Unauthenticated Arbitrary File Upload | CVE 2026-3459 | Plugin Vulnerabilities

Description

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.

Affects Plugins

drag-and-drop-multiple-file-upload-contact-form-7

Fixed in 1.3.9.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3205670c-5c3c-48c3-a34a-6f9c25668258

Miscellaneous

Original Researcher

Thomas Sanzey

Verified

No

WPVDB ID

b67a01c1-eded-49f3-8098-fdef584e5073

Timeline

Publicly Published

2026-03-05 (about 3 months ago)

Added

2026-03-05 (about 3 months ago)

Last Updated

2026-03-06 (about 3 months ago)

Other

Published

Title

Published

2021-06-28

Title

SP Project & Document Manager < 4.24 - Subscriber+ Shell Upload

Published

2026-05-28

Title

MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE

Published

2021-10-05

Title

MStore API < 3.4.5 - Unauthenticated PHP File Upload

Published

2024-11-13

Title

User Management < 1.2 - Subscriber+ Arbitrary File Upload

Published

2022-08-01

Title

Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload