Cyber Posture

CVE-2026-5718

High

Published: 17 April 2026

Published
17 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist…

more

types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates the CVE by requiring patching of the vulnerable WordPress plugin version up to 1.3.9.6 to fix the file validation and sanitization flaws.

SI-10 Information Input Validation good match
prevent

Information input validation enforces proper checking of file types and names, countering the insufficient blacklist merging and non-ASCII sanitization bypass in the plugin.

SI-9 Information Input Restrictions good match
prevent

Information input restrictions at upload boundaries limit dangerous file types and filenames, preventing unauthenticated arbitrary file uploads leading to RCE.

Security SummaryAI

CVE-2026-5718 is an arbitrary file upload vulnerability affecting the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress in versions up to and including 1.3.9.6. The issue stems from insufficient file type validation when custom blacklist types are configured, as this configuration replaces the default dangerous extension denylist rather than merging with it. Additionally, the wpcf7_antiscript_file_name() sanitization function can be bypassed using filenames with non-ASCII characters. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), published on 2026-04-17.

Unauthenticated attackers can exploit this vulnerability over the network with high attack complexity to upload arbitrary files, such as PHP files, to the server. Successful exploitation enables remote code execution, potentially compromising the entire WordPress site.

References point to specific code locations in the vulnerable version 1.3.9.6, including lines 62, 883, 970, and 987 in inc/dnd-upload-cf7.php, highlighting the flawed validation and sanitization logic. Mitigation is addressed in changeset 3508522 for the plugin, indicating that updating to a patched version resolves the issue.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables T1190 (Exploit Public-Facing Application) for unauthenticated RCE and facilitates T1100 (Web Shell) via PHP file uploads.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References