Unauthenticated Cross Site Scripting in Drag and Drop Multiple File Upload by WordPress
CVE-2026-49055

7.1HIGH

Key Information:

Vendor: WordPress
Status: Drag And Drop Multiple File Upload – Contact Form 7
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-49055?

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Drag and Drop Multiple File Upload plugin for Contact Form 7 versions up to 1.3.9.7. This security flaw allows attackers to inject malicious scripts into the web application, potentially leading to unauthorized actions executed under the context of users visiting the affected site. Such vulnerabilities pose significant risks as they can be exploited to steal sensitive data, manipulate site content, or redirect users to harmful websites.

Affected Version(s)

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7

References

https://patchstack.com/database/wordpress/plugin/drag-and...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 27, 2026

Credit

fayespiegel | Patchstack Bug Bounty Program

CVE-2026-49055 Data

JSON