Cyber Resilience

CVE-2026-5710

High

Published: 17 April 2026

Published
17 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 13.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5710 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5710 is a path traversal vulnerability leading to arbitrary file read in the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress, affecting versions up to and including 1.3.9.6. The issue arises because the plugin trusts client-supplied mfile[] POST values for email attachment selection without server-side upload provenance checks, path canonicalization, or directory containment enforcement. In the dnd_wpcf7_posted_data() function, user-submitted filenames are appended directly to the plugin's upload URL without sanitization. Subsequently, in dnd_cf7_mail_components(), the URL is converted to a filesystem path via str_replace(), with only file_exists() used as the acceptance check before attaching files to Contact Form 7 emails. This flaw is constrained to the wp-content folder by the wpcf7_is_file_path_in_content_dir() function in Contact Form 7. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-22.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by submitting path traversal sequences in the mfile[] parameter during Contact Form 7 form submissions. This allows them to read and exfiltrate arbitrary files readable by the web server process, which are then disclosed as email attachments sent via the form. The attack requires no privileges or user interaction, enabling broad exploitation against sites using the vulnerable plugin.

References point to specific code locations in the plugin's dnd-upload-cf7.php file (lines 203, 477, and 718 in version 1.3.9.6) and a patch applied in WordPress plugin changeset 3508522. Additional details are available in Wordfence threat intelligence at the provided URL, recommending update to the patched version for mitigation.

EU & UK References

Vulnerability details

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[]…

more

POST values as the source of truth for email attachment selection without performing any server-side upload provenance check, path canonicalization, or directory containment boundary enforcement. In dnd_wpcf7_posted_data(), each user-submitted filename is directly appended to the plugin's upload URL without sanitization. In dnd_cf7_mail_components(), the URL is converted back to a filesystem path using str_replace() and only file_exists() is used as the acceptance check before attaching the file to the outgoing CF7 email. This makes it possible for unauthenticated attackers to read and exfiltrate arbitrary files readable by the web server process via path traversal sequences in the mfile[] parameter, with files being disclosed as email attachments. Note: This vulnerability is limited to the 'wp-content' folder due to the wpcf7_is_file_path_in_content_dir() function in the Contact Form 7 plugin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing WordPress plugin enables remote unauthenticated exploitation of the application (T1190) and direct arbitrary file reads from the local filesystem (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires server-side validation of client-supplied mfile[] POST parameters to block path traversal sequences, directly addressing the lack of input sanitization, canonicalization, and directory enforcement.

prevent

Mandates timely identification, reporting, and patching of the plugin flaw (as fixed in changeset 3508522), preventing exploitation of the vulnerable code in dnd_wpcf7_posted_data() and dnd_cf7_mail_components().

prevent

Enforces logical access controls on filesystem resources within wp-content to restrict the web server process from reading arbitrary files even if path traversal input is processed.

References