cleantalk
Vulnerabilities and Security Researches

Drag and Drop Multiple File Upload – Contact Form 7, CVE-2026-3459

CVE, Research URL

CVE-2026-3459

Home page URL

Security reports for Drag and Drop Multiple File Upload – Contact Form 7

Application

Drag and Drop Multiple File Upload – Contact Form 7

Published on
Mar 06, 2026
Research Description
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
Affected versions
max 1.3.9.6.
Status
vulnerable
Previous vulnerability researches
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-3515) , Jun 18, 2025
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-3459) , Apr 15, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-8991) , Jun 07, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5718) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5710) , Apr 18, 2026
New vulnerability
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress (CVE-2026-6448) , Jun 07, 2026
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator (CVE-2026-8976) , Jun 07, 2026
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg (CVE-2026-7796) , Jun 07, 2026
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2026-48965) , Jun 07, 2026
WP User Manager – User Profile Builder & Membership (CVE-2026-9290) , Jun 07, 2026