Arbitrary File Upload Vulnerability in Drag and Drop File Upload Plugin for WordPress
CVE-2026-5364

8.1HIGH

Key Information:

Vendor: WordPress
Status: Drag And Drop File Upload For Contact Form 7
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-5364?

The Drag and Drop File Upload plugin for Contact Form 7 allows unauthenticated attackers to exploit a vulnerability that permits arbitrary file uploads. This occurs due to the improper handling of file extensions, which are extracted without adequate sanitization. Attackers can take advantage of this flaw by controlling the file type parameter, leading to potential remote code execution. Although measures such as .htaccess restrictions and filename randomization are implemented, they may not fully mitigate all risks associated with this vulnerability, highlighting the need for immediate patching and proactive security measures.

Affected Version(s)

Drag and Drop File Upload for Contact Form 7 0 <= 1.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/drag-and-drop-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Thomas Sanzey

CVE-2026-5364 Data

JSON