Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Drag and Drop File Upload for Contact Form 7 by addonsorg

    CVE-2026-5364 (GCVE-0-2026-5364)

    Vulnerability from nvd – Published: 2026-04-24 05:29 – Updated: 2026-04-24 18:30
    VLAI
    Title
    Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass
    Summary
    The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Credits
    Thomas Sanzey
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5364",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T18:29:46.008653Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T18:30:14.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Drag and Drop File Upload for Contact Form 7",
              "vendor": "addonsorg",
              "versions": [
                {
                  "lessThanOrEqual": "1.1.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thomas Sanzey"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like \u0027$\u0027 to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T05:29:37.326Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0548608d-17d5-46f4-9d64-6e3b0552bf9d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L181"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L181"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L158"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L158"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L147"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L147"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/frontend/index.php#L15"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/frontend/index.php#L15"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3498020%40drag-and-drop-file-upload-for-contact-form-7\u0026new=3498020%40drag-and-drop-file-upload-for-contact-form-7\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-01T18:01:26.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-23T16:36:09.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Drag and Drop File Upload for Contact Form 7 \u003c= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5364",
        "datePublished": "2026-04-24T05:29:37.326Z",
        "dateReserved": "2026-04-01T17:45:09.888Z",
        "dateUpdated": "2026-04-24T18:30:14.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5364 (GCVE-0-2026-5364)

    Vulnerability from cvelistv5 – Published: 2026-04-24 05:29 – Updated: 2026-04-24 18:30
    VLAI
    Title
    Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass
    Summary
    The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Credits
    Thomas Sanzey
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5364",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T18:29:46.008653Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T18:30:14.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Drag and Drop File Upload for Contact Form 7",
              "vendor": "addonsorg",
              "versions": [
                {
                  "lessThanOrEqual": "1.1.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thomas Sanzey"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like \u0027$\u0027 to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T05:29:37.326Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0548608d-17d5-46f4-9d64-6e3b0552bf9d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L181"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L181"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L158"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L158"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L147"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L147"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/frontend/index.php#L15"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/frontend/index.php#L15"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3498020%40drag-and-drop-file-upload-for-contact-form-7\u0026new=3498020%40drag-and-drop-file-upload-for-contact-form-7\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-01T18:01:26.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-23T16:36:09.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Drag and Drop File Upload for Contact Form 7 \u003c= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5364",
        "datePublished": "2026-04-24T05:29:37.326Z",
        "dateReserved": "2026-04-01T17:45:09.888Z",
        "dateUpdated": "2026-04-24T18:30:14.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }