PatchSiren cyber security CVE debrief
CVE-2026-49055 Glen Don Mongaya CVE debrief
CVE-2026-49055 is a HIGH severity Unauthenticated Cross Site Scripting (XSS) vulnerability affecting Drag and Drop Multiple File Upload – Contact Form 7 plugin versions <= 1.3.9.7. The vulnerability has a CVSS score of 7.1 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-49055).
- Vendor
- Glen Don Mongaya
- Product
- Drag and Drop Multiple File Upload – Contact Form 7
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of WordPress sites utilizing the Drag and Drop Multiple File Upload – Contact Form 7 plugin version 1.3.9.7 or earlier should prioritize patching this vulnerability to prevent potential XSS attacks.
Technical summary
The vulnerability, identified as CWE-79, allows unauthenticated attackers to inject malicious scripts into the affected plugin. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and no user interaction (UI:R) for exploitation.
Defensive priority
HIGH
Recommended defensive actions
- Update Drag and Drop Multiple File Upload – Contact Form 7 plugin to a version greater than 1.3.9.7.
- Review and monitor your WordPress site for suspicious activity.
Evidence notes
Evidence of this vulnerability was provided by Patchstack, with additional details available through the [ref-4](https://patchstack.com/database/wordpress/plugin/drag-and-drop-multiple-file-upload-contact-form-7/vulnerability/wordpress-drag-and-drop-multiple-file-upload-contact-form-7-plugin-1-3-9-7-cross-site-scripting-xss-vulnerability?_s_id=cve).
Official resources
-
CVE-2026-49055 CVE record
CVE.org
-
CVE-2026-49055 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49055 was published on June 15, 2026, and last modified on June 15, 2026.