CVE-2026-5364
Published: 24 April 2026
Summary
CVE-2026-5364 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5364 affects the Drag and Drop File Upload for Contact Form 7 plugin for WordPress in versions up to and including 1.1.3. The vulnerability enables arbitrary file upload due to the plugin extracting the file extension before sanitization, allowing attackers to control the file type parameter instead of relying on administrator-configured restrictions. Validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, permitting special characters like '$' to be stripped during the save process, which facilitates the upload of arbitrary PHP files.
Unauthenticated attackers with network access can exploit this issue to upload arbitrary PHP files, potentially achieving remote code execution. The attack requires high complexity, as indicated by the CVSS base score of 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), stemming from CWE-434 (Unrestricted Upload of File with Dangerous Type).
The provided references point to specific lines in the plugin's source code, such as backend/index.php lines 147, 158, and 181 in tags/1.1.2 and trunk, as well as frontend/index.php line 15, highlighting the flawed extension handling and sanitization logic.
In practice, real-world exploitability is restricted by an .htaccess file and name randomization measures in place within the plugin.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25399
Vulnerability details
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and…
more
allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary PHP file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and deployment of web shells (T1100) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific flaw in the plugin's file extension extraction, sanitization, and validation logic that enables arbitrary PHP file uploads.
Enforces comprehensive validation of uploaded file extensions and contents to prevent attackers from bypassing administrator-configured restrictions and uploading dangerous PHP files.
Deploys malicious code protection mechanisms at web entry points to scan, detect, and block arbitrary PHP shells uploaded via the vulnerable drag-and-drop functionality.