Platform
wordpress
Component
drag-and-drop-multiple-file-upload-contact-form-7
Fixed in
1.3.10
1.3.9.7
CVE-2026-5710 represents an Arbitrary File Access vulnerability affecting the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file upload parameters. Versions of the plugin up to and including 1.3.9.6 are affected; however, a patch is available in version 1.3.9.7.
CVE-2026-5710 affects the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin for WordPress versions up to and including 1.3.9.6. It's a Path Traversal vulnerability leading to Arbitrary File Read. The plugin fails to properly validate user-supplied mfile[] POST values, allowing attackers to manipulate filenames and access files outside the intended upload directory. The CVSS score is 7.5, indicating a high-severity risk. Potential impacts include exposure of sensitive data such as source code, configuration files, database information, and potentially remote code execution if combined with other vulnerabilities.
An attacker could exploit this vulnerability by submitting a contact form with manipulated attachments. By modifying filenames to include sequences like '..', the attacker can navigate outside the intended upload directory and access unauthorized files on the server. This exploitation can be performed through a simple HTTP request, without authentication, making it a significant risk for vulnerable WordPress websites. The ease of exploitation and potential impact make this vulnerability a high priority for remediation.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The solution is to update the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin to version 1.3.9.7 or later. This version includes a fix that validates and sanitizes user-provided filenames, preventing path manipulation. Applying this update promptly is crucial to mitigate the risk of exploitation. Additionally, review your web server configuration to ensure proper file access restrictions are in place. Regularly monitoring server logs for suspicious activity is also a recommended security practice.
Update to version 1.3.9.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
Path Traversal is a security vulnerability that allows an attacker to access files and directories on a web server that they shouldn't have access to. It's achieved by manipulating file paths in HTTP requests.
If you are using version 1.3.9.6 or earlier of the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin, you are vulnerable. Updating is the only way to fix the vulnerability.
If you can't update immediately, consider temporarily disabling the plugin or implementing firewall rules to block suspicious requests.
There are web vulnerability scanners that can detect this vulnerability. You can also perform manual testing by submitting contact forms with manipulated filenames.
Review all Contact Form 7 plugins you use to ensure they are updated and do not have known vulnerabilities.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.