Cyber Resilience

CVE-2026-5364

High

Published: 24 April 2026

Published
24 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0106 60.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5364 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5364 affects the Drag and Drop File Upload for Contact Form 7 plugin for WordPress in versions up to and including 1.1.3. The vulnerability enables arbitrary file upload due to the plugin extracting the file extension before sanitization, allowing attackers to control the file type parameter instead of relying on administrator-configured restrictions. Validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, permitting special characters like '$' to be stripped during the save process, which facilitates the upload of arbitrary PHP files.

Unauthenticated attackers with network access can exploit this issue to upload arbitrary PHP files, potentially achieving remote code execution. The attack requires high complexity, as indicated by the CVSS base score of 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), stemming from CWE-434 (Unrestricted Upload of File with Dangerous Type).

The provided references point to specific lines in the plugin's source code, such as backend/index.php lines 147, 158, and 181 in tags/1.1.2 and trunk, as well as frontend/index.php line 15, highlighting the flawed extension handling and sanitization logic.

In practice, real-world exploitability is restricted by an .htaccess file and name randomization measures in place within the plugin.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and…

more

allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary PHP file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and deployment of web shells (T1100) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in the plugin's file extension extraction, sanitization, and validation logic that enables arbitrary PHP file uploads.

prevent

Enforces comprehensive validation of uploaded file extensions and contents to prevent attackers from bypassing administrator-configured restrictions and uploading dangerous PHP files.

preventdetect

Deploys malicious code protection mechanisms at web entry points to scan, detect, and block arbitrary PHP shells uploaded via the vulnerable drag-and-drop functionality.

References