PatchSiren cyber security CVE debrief
CVE-2026-5718 glenwpcoder CVE debrief
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin contains an arbitrary file upload vulnerability affecting versions up to and including 1.3.9.7. The flaw stems from two weaknesses: insufficient file type validation when custom blacklist types are configured (which replaces rather than merges with the default dangerous extension denylist), and a bypass of the wpcf7_antiscript_file_name() sanitization function for filenames containing non-ASCII characters. Unauthenticated attackers can exploit this to upload arbitrary files, including PHP files, enabling remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7; a bypass for this patch was subsequently discovered and reported by Nguyen Hung (Mitchell). The CVE was published on 2026-04-17 and last modified on 2026-05-27.
- Vendor
- glenwpcoder
- Product
- Drag and Drop Multiple File Upload for Contact Form 7
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-17
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-04-17
- Advisory updated
- 2026-05-27
Who should care
Organizations running WordPress sites with the Drag and Drop Multiple File Upload for Contact Form 7 plugin installed, particularly those using custom file type blacklists. Security teams responsible for WordPress security, web application firewall administrators, and hosting providers with WordPress customers should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin versions up to and including 1.3.9.7. Two distinct weaknesses enable arbitrary file upload: (1) when administrators configure custom blacklist file types, the plugin replaces the default dangerous extension denylist entirely rather than merging with it, potentially allowing dangerous extensions if not explicitly listed; and (2) the wpcf7_antiscript_file_name() sanitization function can be bypassed using filenames containing non-ASCII characters. The combination allows unauthenticated attackers to upload executable PHP files and achieve remote code execution. A partial patch was released in version 1.3.9.7, but this was subsequently bypassed.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version newer than 1.3.9.7 that addresses the bypass
- Review custom blacklist configurations to ensure they properly merge with rather than replace default dangerous extension denylists
- Implement additional server-side file upload restrictions independent of plugin controls
- Monitor for and block requests attempting to upload files with non-ASCII characters in filenames
- Review web server configurations to prevent execution of uploaded files in upload directories
- Conduct security assessment of file upload functionality if running affected versions
- Apply principle of least privilege to web server processes to limit impact of potential code execution
Evidence notes
The vulnerability description indicates the issue involves insufficient file type validation when custom blacklist types replace the default denylist rather than merging with it, and a sanitization bypass for non-ASCII filenames. Source references point to specific lines in the plugin's dnd-upload-cf7.php file (lines 62, 883, 970, 987) in version 1.3.9.6, as well as changesets 3508522 and 3548901 in the WordPress plugin repository.
Official resources
The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).