CVE-2026-5364: CWE-434 Unrestricted Upload of File with Dangerous Type in addonsorg Drag and Drop File Upload for Contact Form 7
The Drag and Drop File Upload for Contact Form 7 WordPress plugin (versions up to 1. 1. 3) contains a vulnerability allowing unauthenticated attackers to upload arbitrary PHP files due to improper file extension handling. The plugin extracts the file extension before sanitization and allows attacker control over the file type parameter, leading to potential remote code execution. However, an . htaccess file and filename randomization reduce the likelihood of successful exploitation. No official patch or remediation guidance is currently confirmed.
AI Analysis
Technical Summary
CVE-2026-5364 is a high-severity vulnerability in the Drag and Drop File Upload for Contact Form 7 plugin for WordPress, affecting versions up to 1.1.3. The issue arises because the plugin validates file types based on an unsanitized extension while saving files with a sanitized extension, allowing attackers to bypass restrictions by using special characters like '$'. This enables unauthenticated attackers to upload arbitrary PHP files, potentially leading to remote code execution. Mitigating factors include the presence of an .htaccess file and filename randomization, which limit real-world exploitability. No patch or official remediation level is currently documented.
Potential Impact
Successful exploitation could allow unauthenticated attackers to upload arbitrary PHP files, potentially leading to remote code execution with high impact on confidentiality, integrity, and availability. However, existing mitigations such as .htaccess restrictions and filename randomization reduce the practical exploitability of this vulnerability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the vulnerable plugin or restricting file upload capabilities. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-5364: CWE-434 Unrestricted Upload of File with Dangerous Type in addonsorg Drag and Drop File Upload for Contact Form 7
Description
The Drag and Drop File Upload for Contact Form 7 WordPress plugin (versions up to 1. 1. 3) contains a vulnerability allowing unauthenticated attackers to upload arbitrary PHP files due to improper file extension handling. The plugin extracts the file extension before sanitization and allows attacker control over the file type parameter, leading to potential remote code execution. However, an . htaccess file and filename randomization reduce the likelihood of successful exploitation. No official patch or remediation guidance is currently confirmed.
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5364 is a high-severity vulnerability in the Drag and Drop File Upload for Contact Form 7 plugin for WordPress, affecting versions up to 1.1.3. The issue arises because the plugin validates file types based on an unsanitized extension while saving files with a sanitized extension, allowing attackers to bypass restrictions by using special characters like '$'. This enables unauthenticated attackers to upload arbitrary PHP files, potentially leading to remote code execution. Mitigating factors include the presence of an .htaccess file and filename randomization, which limit real-world exploitability. No patch or official remediation level is currently documented.
Potential Impact
Successful exploitation could allow unauthenticated attackers to upload arbitrary PHP files, potentially leading to remote code execution with high impact on confidentiality, integrity, and availability. However, existing mitigations such as .htaccess restrictions and filename randomization reduce the practical exploitability of this vulnerability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the vulnerable plugin or restricting file upload capabilities. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-01T17:45:09.888Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eb095d87115cfb68f0d940
Added to database: 4/24/2026, 6:10:37 AM
Last enriched: 5/1/2026, 8:42:35 PM
Last updated: 6/8/2026, 8:19:35 AM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.