Cyber Posture

CVE-2026-5364

High

Published: 24 April 2026

Published
24 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and…

more

allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific flaw in the plugin's file extension extraction, sanitization, and validation logic that enables arbitrary PHP file uploads.

SI-10 Information Input Validation good match
prevent

Enforces comprehensive validation of uploaded file extensions and contents to prevent attackers from bypassing administrator-configured restrictions and uploading dangerous PHP files.

SI-3 Malicious Code Protection good match
preventdetect

Deploys malicious code protection mechanisms at web entry points to scan, detect, and block arbitrary PHP shells uploaded via the vulnerable drag-and-drop functionality.

Security SummaryAI

CVE-2026-5364 affects the Drag and Drop File Upload for Contact Form 7 plugin for WordPress in versions up to and including 1.1.3. The vulnerability enables arbitrary file upload due to the plugin extracting the file extension before sanitization, allowing attackers to control the file type parameter instead of relying on administrator-configured restrictions. Validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, permitting special characters like '$' to be stripped during the save process, which facilitates the upload of arbitrary PHP files.

Unauthenticated attackers with network access can exploit this issue to upload arbitrary PHP files, potentially achieving remote code execution. The attack requires high complexity, as indicated by the CVSS base score of 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), stemming from CWE-434 (Unrestricted Upload of File with Dangerous Type).

The provided references point to specific lines in the plugin's source code, such as backend/index.php lines 147, 158, and 181 in tags/1.1.2 and trunk, as well as frontend/index.php line 15, highlighting the flawed extension handling and sanitization logic.

In practice, real-world exploitability is restricted by an .htaccess file and name randomization measures in place within the plugin.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Arbitrary PHP file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and deployment of web shells (T1100) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References