External risk intelligence

WordPress plugin lets attackers upload malicious files to take control

CVE advisorySeverity: HIGH (CVSS 8.1)

CVE-2026-5718

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin has a serious security flaw. Attackers can upload harmful files, potentially taking control of your website. This issue affects internet-facing forms.

5Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-5718

The vulnerability affects a WordPress plugin designed for public-facing contact forms. Contact forms are intended to be accessible to anonymous internet users for submissions. Because the vulnerable file upload functionality is integrated directly into these public-facing web components, it is exposed to the internet by design in normal use.

PCI scan relevance

PCI Relevance for CVE-2026-5718

Yes

CVE-2026-5718 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This arbitrary file upload vulnerability allows attackers to upload malicious files, potentially leading to remote code execution, which would cause a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An issue in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin allows unauthenticated attackers to upload arbitrary files. This can lead to remote code execution on the server due to how the plugin handles file type validation and sanitization.

  • Attacker can upload malicious files.
  • Website code can be compromised.
  • Affects publicly accessible forms.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by crafting a malicious file and uploading it through the vulnerable contact form. This file, likely a PHP script, will be saved to the server due to insufficient validation and bypasses in the plugin's sanitization functions, allowing for remote code execution.

  • Target: WordPress contact form upload.
  • Access: Unauthenticated.
  • Precondition: Custom blacklist file types.

Live Threat

Current exploitation, exposure, and threat context

This WordPress plugin vulnerability allows unauthenticated attackers to upload arbitrary files, including executable PHP files, to the server. While a patch was released, a bypass was later discovered, indicating ongoing exploitation potential. The nature of this vulnerability, allowing for remote code execution via file upload on a commonly used platform, makes it an attractive target.

  • Public exploit details exist.
  • Bypass for patch reported recently.
  • Affects public-facing forms.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate mitigation by blocking or filtering uploads of executable file types, especially for the Drag and Drop Multiple File Upload for Contact Form 7 plugin. Given the bypass of the patch, focus on detecting any suspicious file uploads or unexpected activity on affected servers. If the plugin is not essential, consider disabling it until a confirmed secure version is available.

  • Block executable file uploads.
  • Monitor for suspicious file activity.
  • Disable plugin if not critical.

Frequently asked questions

What is the Drag and Drop Multiple File Upload for Contact Form 7 plugin?

The Drag and Drop Multiple File Upload for Contact Form 7 is a WordPress plugin that enhances forms by allowing users to upload multiple files easily using a drag-and-drop interface or a traditional file browse option. It's designed to improve the user experience for submitting files like resumes, images, or documents through web forms [8, 11, 12, 14].

What kind of vulnerability is CVE-2026-5718?

CVE-2026-5718 is an arbitrary file upload vulnerability, classified as CWE-434. It occurs because the plugin does not properly validate file types when custom blacklists are configured, and it can be bypassed for filenames with non-ASCII characters. This allows attackers to upload malicious files, such as PHP scripts, to the server [1, 2, 6, 7].

What are the attacker's preconditions for exploiting CVE-2026-5718?

An attacker needs to target a WordPress site using a vulnerable version of the plugin where custom file type blacklists have been configured in a way that replaces, rather than merges with, the default dangerous extension list. The attacker must also be able to upload a file through a contact form. The vulnerability is not triggered by default configurations or if custom blacklists are merged correctly with default protections [1, 2, 5, 6].

Who should be concerned about this vulnerability?

Any organization using the Drag and Drop Multiple File Upload for Contact Form 7 plugin on their WordPress site should be concerned. Given that contact forms are often internet-facing, this vulnerability has a high exposure to external threats, meaning attackers from the internet can potentially exploit it [cite:Halo Surface Signal].

What are the first steps to address this threat?

The immediate first step is to update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version newer than 1.3.9.6. If the plugin is not essential, consider disabling it. It's also advisable to monitor uploaded files for suspicious activity and ensure that executable file types are not permitted in upload directories [3, 6, 11, 15].

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified