This vulnerability (CVE-2026-49055) is classified as CWE-79, indicating improper neutralization of input during web page generation, leading to Cross-Site Scripting (XSS). It affects the Drag and Drop Multiple File Upload – Contact Form 7 plugin in versions up to and including 1.3.9.7. The issue allows unauthenticated attackers to inject malicious scripts, potentially impacting confidentiality, integrity, and availability. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed with low impact on confidentiality, integrity, and availability. No vendor advisory or patch information is currently provided.

Successful exploitation can lead to execution of arbitrary scripts in the context of the affected web application, potentially allowing attackers to steal sensitive information, manipulate content, or disrupt service. The vulnerability affects confidentiality, integrity, and availability to a low degree but can be leveraged for further attacks due to its unauthenticated nature and network accessibility.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider applying temporary mitigations such as disabling the vulnerable plugin or restricting access to affected functionality. Monitor official channels for updates from the vendor Glen Don Mongaya regarding patches or workarounds.