{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5364", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-01T17:45:09.888Z", "datePublished": "2026-04-24T05:29:37.326Z", "dateUpdated": "2026-04-24T18:30:14.939Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T05:29:37.326Z"}, "affected": [{"vendor": "addonsorg", "product": "Drag and Drop File Upload for Contact Form 7", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability."}], "title": "Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0548608d-17d5-46f4-9d64-6e3b0552bf9d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L181"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L181"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L147"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L147"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/frontend/index.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/frontend/index.php#L15"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498020%40drag-and-drop-file-upload-for-contact-form-7&new=3498020%40drag-and-drop-file-upload-for-contact-form-7&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Thomas Sanzey"}], "timeline": [{"time": "2026-04-01T18:01:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-23T16:36:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T18:29:46.008653Z", "id": "CVE-2026-5364", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:30:14.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T18:29:46.008653Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:30:02.355Z"}}], "cna": {"title": "Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Thomas Sanzey"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "addonsorg", "product": "Drag and Drop File Upload for Contact Form 7", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-01T18:01:26.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-23T16:36:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0548608d-17d5-46f4-9d64-6e3b0552bf9d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L181"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L181"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L147"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L147"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/frontend/index.php#L15"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/frontend/index.php#L15"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498020%40drag-and-drop-file-upload-for-contact-form-7&new=3498020%40drag-and-drop-file-upload-for-contact-form-7&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T05:29:37.326Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5364", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:30:14.939Z", "dateReserved": "2026-04-01T17:45:09.888Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-24T05:29:37.326Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability."}], "id": "CVE-2026-5364", "lastModified": "2026-04-24T14:38:26.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-24T06:16:08.480", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L147"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L158"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L181"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/frontend/index.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L147"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L158"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L181"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/frontend/index.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498020%40drag-and-drop-file-upload-for-contact-form-7&new=3498020%40drag-and-drop-file-upload-for-contact-form-7&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0548608d-17d5-46f4-9d64-6e3b0552bf9d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "drag_and_drop_file_upload_for_contact_form_7", "vendor": "addonsorg"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T06:58:01.892218+00:00", "value": {"mitigation_remediation": ["Update the Drag and Drop File Upload for Contact Form 7 plugin to the latest version that removes the filename sanitization flaw.", "Configure the plugin to accept only the file types explicitly allowed by the site administrators, ensuring server\u2011side validation against the MIME type and file extension.", "Restrict file upload capabilities to users with administrative privileges or other elevated roles, disabling uploads for unauthenticated or low\u2011privilege accounts.", "Add or enforce an .htaccess or equivalent web server rule in the upload directory to disallow execution of PHP or other scripts, preventing uploaded PHP files from running even if they are saved."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Drag and Drop File Upload for Contact Form 7 plugin version 1.1.3 or earlier. The plugin is provided by addonsorg and commonly integrated with the Contact Form 7 ecosystem, affecting any standard WordPress installation that has the plugin installed.", "description_and_impact": "The flaw allows an unauthenticated attacker to upload arbitrary PHP files by manipulating the file type parameter before the extension is sanitized. The plugin validates the unsanitized extension while saving the file with a sanitized filename; special characters such as a dollar sign are stripped during the save process, enabling the upload of executable PHP code. Successful exploitation can lead to remote code execution, although the plugin includes an .htaccess rule and randomly generated filenames that diminish real\u2011world attack effectiveness.", "risk_and_exploitability": "The CVSS score of 8.1 highlights the high severity, while the EPSS score of less than 1% indicates a very low probability of widespread exploitation; the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the lack of authentication requirements and the public upload endpoint mean that any exposed WordPress site could be used by an attacker to try to upload malicious PHP files, potentially achieving remote code execution if the server permits PHP execution in the upload directory. The .htaccess restrictions and filename randomization mitigate but do not eliminate this threat."}}}}, "created": "2026-04-28T07:00:09.540190+00:00", "updated": "2026-04-28T09:18:09.831633+00:00", "vendors": ["addonsorg", "addonsorg$PRODUCT$drag_and_drop_file_upload_for_contact_form_7", "wordpress", "wordpress$PRODUCT$wordpress"]}