If you run Contact Form 7 with the Drag and Drop File Upload extension, your site could be vulnerable to remote code execution. A critical arbitrary file upload vulnerability, tracked as CVE-2026-5364, lets unauthenticated attackers upload malicious PHP files through the file upload functionality. Here is everything you need to know about this vulnerability, how it works, and how to protect your site.
CVE-2026-5364: What is Drag and Drop File Upload for Contact Form 7?
The Drag and Drop File Upload for Contact Form 7 plugin replaces the standard file upload field with a modern drag-and-drop interface. Visitors upload files in the background using AJAX technology. This means no more form submission delays for large files. The plugin supports multiple file uploads, custom file type restrictions, file size limits, and automatic email attachments.
Thousands of WordPress sites use this plugin to let visitors submit files through contact forms. Common use cases include job applications with resume uploads, support ticket attachments, and user-submitted content for photography or portfolio sites. The plugin has been active in the WordPress plugin repository for years and maintains a solid user base.
The Vulnerability: CVE-2026-5364
Security researchers at Wordfence discovered a critical arbitrary file upload vulnerability in the plugin. The flaw received a CVSS score of 8.1 (High) because it requires no authentication and can lead to complete site compromise through remote code execution.
The core problem lies in how the plugin handles file validation during the upload process. Three separate issues combine to create the exploit.
The plugin extracts the file extension before performing any sanitization. This lets an attacker craft a file name that passes the extension check but saves as a PHP file.
The file type parameter comes from the attacker without being restricted to administrator-configured types. The plugin accepts whatever type the client sends. Attackers can bypass the intended file type restrictions entirely.
The plugin performs validation on the unsanitized extension but saves the file with a sanitized extension. During sanitization, special characters like `$` get stripped away. This creates a mismatch between what the plugin validates and what it saves. An attacker can upload a file that validates as a safe type but saves as PHP.
What Happens If Someone Exploits It
An unauthenticated attacker can craft a POST request with a manipulated file name. The validation logic approves the file. The plugin saves it to the WordPress uploads directory. The attacker then accesses the uploaded PHP file through the browser. This executes malicious code on the server.
With remote code execution on a WordPress site, an attacker can:
- Install backdoors for persistent access
- Steal the WordPress database including user credentials and customer data
- Modify or delete site content
- Use the compromised server for phishing campaigns or malware distribution
- Access the underlying server filesystem beyond the WordPress installation
The good news is that two mitigating factors reduce the real-world exploitability of this vulnerability. The plugin generates randomized file names during the save process, so the attacker needs to determine or guess the final file name. The plugin also deploys an .htaccess file in the upload directory that restricts direct access to certain file types.
Which Versions Are Affected
All versions up to and including 1.1.3 are vulnerable. The plugin developer released version 1.2.0 to address the issue. If you are running version 1.1.3 or earlier, update immediately.
Check your installed version in the WordPress admin dashboard. Go to Plugins and look for “Drag and Drop File Upload for Contact Form 7.” You can also check the readme.txt file at `/wp-content/plugins/drag-and-drop-file-upload-for-contact-form-7/readme.txt`.
How to Protect Your Site
Step 1: Update the Plugin
The fastest fix is updating the plugin to version 1.2.0 or later. Go to Dashboard > Updates in your WordPress admin area. Look for the plugin update. You can also update directly from the Plugins page by clicking Update Now.
If automatic updates are not working, download the latest version from the WordPress plugin repository. Install it manually via FTP or your hosting control panel’s file manager. Replace the existing plugin folder with the new one.
Step 2: Verify the Update
Navigate to Plugins in your WordPress dashboard. Check the version number next to “Drag and Drop File Upload for Contact Form 7.” It should show 1.2.0 or higher.
You can also verify the fix programmatically by checking the file validation logic in the plugin’s backend code. The patched version adds proper extension validation and restricts the file type parameter to the values the administrator configured.
Step 3: Scan for Compromised Files
If you suspect someone exploited this vulnerability, scan your WordPress installation for unexpected PHP files. Use a security plugin to run a file integrity check. Manually inspect the `/wp-content/uploads/` directory for suspicious PHP files that you did not upload.
Look for files with randomized names that contain PHP code. Common backdoor file names include variations of `shell.php`, `wp-config.php`, or files with timestamps in their names. The `wp-content/uploads/` directory should contain only media files, not executable PHP scripts.
Step 4: Add a Web Application Firewall Rule
A WAF provides extra protection against file upload attacks. If you use Cloudflare or Sucuri, add a rule that blocks file upload requests containing PHP code.
For server-level protection, add this rule to your .htaccess file. It blocks direct access to PHP files in the uploads directory:
<Directory /wp-content/uploads>
php_flag engine off
</Directory>
Place this in your Apache configuration or .htaccess file. If you run Nginx, add a location block that denies access to PHP files in the uploads directory.
Step 5: Monitor for Suspicious Activity
Enable logging on your WordPress site to track file upload attempts. Monitor your server access logs for POST requests to the file upload endpoint from IP addresses outside your normal visitor range. Unusual patterns like multiple upload attempts from the same IP in a short period can indicate an exploitation attempt.
The Technical Details
The vulnerability exists in the plugin’s backend processing logic. The plugin registers an AJAX action that handles file uploads without authentication checks. The file validation function in `backend/index.php` processes file names through sanitization that strips special characters after validation.
The key issue is in how the plugin extracts and validates the file extension. Here is a simplified view of the vulnerable logic:
1. The plugin extracts the file extension from the raw file name
2. It checks the extension against the allowed file types list
3. It sanitizes the file name, which removes characters like `$`
4. It saves the file using the sanitized name
The vulnerability arises because step 2 validates the original extension, but step 4 saves the file with the sanitized extension. An attacker can include a character like `$` in the extension (for example, `.ph$p`). The sanitizer strips the `$` and saves the file as `.php`, but the validation check passes because `.ph$p` does not match any restricted pattern.
The fix in version 1.2.0 restructures this logic. It validates the file extension AFTER sanitization. This ensures the saved file matches what the plugin checked. The update also restricts the file type parameter to administrator-configured values. Attackers can no longer send arbitrary file types.
The Bottom Line
CVE-2026-5364 is a serious vulnerability that affects a widely used Contact Form 7 extension. The arbitrary file upload issue can lead to remote code execution, which means a full site takeover. Update the plugin to version 1.2.0 or later immediately. If you cannot update right away, add WAF rules and disable the plugin temporarily until you can apply the patch. The attackers are actively scanning for vulnerable sites, so speed matters more than perfect implementation.
The Drag and Drop Multiple File Upload for Contact Form 7 plugin is available on wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/.