CVE-2026-3459 is a vulnerability categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the 'Drag and Drop Multiple File Upload for Contact Form 7' WordPress plugin developed by glenwpcoder. The flaw exists in the 'dnd_upload_cf7_upload' function, which fails to properly validate the file types being uploaded. Specifically, when a Contact Form 7 form includes a multiple file upload field configured to accept all file types using the wildcard '*', the plugin does not restrict or sanitize the uploaded files. This allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts or executables, to the web server hosting the WordPress site. Successful exploitation could lead to remote code execution (RCE), enabling attackers to take control of the server, steal data, modify content, or disrupt service. The vulnerability affects all plugin versions up to and including 1.3.7.3. The CVSS 3.1 score of 8.1 indicates a high-severity issue with network attack vector, high impact on confidentiality, integrity, and availability, no privileges or user interaction required, and unchanged scope. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk given the popularity of Contact Form 7 and its extensions in WordPress environments worldwide.

The impact of CVE-2026-3459 is substantial for organizations using the affected plugin in their WordPress sites. An attacker can upload arbitrary files without authentication, potentially leading to remote code execution on the web server. This can result in full server compromise, data breaches, defacement, malware deployment, or use of the server as a pivot point for further attacks within the network. The confidentiality, integrity, and availability of the affected systems are all at high risk. Given the widespread use of Contact Form 7 and its extensions, many organizations, including businesses, government agencies, and non-profits, could be affected. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the likelihood of attacks, especially on sites that have forms configured with permissive file upload settings. The absence of known exploits in the wild suggests that proactive patching and mitigation can prevent widespread damage.

To mitigate CVE-2026-3459, organizations should immediately review their WordPress sites using the Drag and Drop Multiple File Upload for Contact Form 7 plugin. Specific actions include: 1) Disable or remove the plugin if not essential; 2) Avoid using multiple file upload fields configured with the wildcard '*' for accepted file types; 3) Implement strict file type validation on the server side to restrict uploads to safe file extensions (e.g., images, PDFs); 4) Monitor and restrict upload directories to prevent execution of uploaded files by configuring proper web server permissions and disabling script execution in upload folders; 5) Keep WordPress core, plugins, and themes updated and watch for official patches or updates from the plugin vendor; 6) Employ web application firewalls (WAFs) to detect and block suspicious upload attempts; 7) Conduct regular security audits and scanning for unauthorized files or web shells; 8) Educate site administrators about secure form configurations and the risks of unrestricted file uploads. Since no patch links are currently available, closely monitor vendor announcements for updates.