CVE-2026-5710
Published: 17 April 2026
Summary
CVE-2026-5710 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5710 is a path traversal vulnerability leading to arbitrary file read in the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress, affecting versions up to and including 1.3.9.6. The issue arises because the plugin trusts client-supplied mfile[] POST values for email attachment selection without server-side upload provenance checks, path canonicalization, or directory containment enforcement. In the dnd_wpcf7_posted_data() function, user-submitted filenames are appended directly to the plugin's upload URL without sanitization. Subsequently, in dnd_cf7_mail_components(), the URL is converted to a filesystem path via str_replace(), with only file_exists() used as the acceptance check before attaching files to Contact Form 7 emails. This flaw is constrained to the wp-content folder by the wpcf7_is_file_path_in_content_dir() function in Contact Form 7. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-22.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by submitting path traversal sequences in the mfile[] parameter during Contact Form 7 form submissions. This allows them to read and exfiltrate arbitrary files readable by the web server process, which are then disclosed as email attachments sent via the form. The attack requires no privileges or user interaction, enabling broad exploitation against sites using the vulnerable plugin.
References point to specific code locations in the plugin's dnd-upload-cf7.php file (lines 203, 477, and 718 in version 1.3.9.6) and a patch applied in WordPress plugin changeset 3508522. Additional details are available in Wordfence threat intelligence at the provided URL, recommending update to the patched version for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23458
Vulnerability details
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[]…
more
POST values as the source of truth for email attachment selection without performing any server-side upload provenance check, path canonicalization, or directory containment boundary enforcement. In dnd_wpcf7_posted_data(), each user-submitted filename is directly appended to the plugin's upload URL without sanitization. In dnd_cf7_mail_components(), the URL is converted back to a filesystem path using str_replace() and only file_exists() is used as the acceptance check before attaching the file to the outgoing CF7 email. This makes it possible for unauthenticated attackers to read and exfiltrate arbitrary files readable by the web server process via path traversal sequences in the mfile[] parameter, with files being disclosed as email attachments. Note: This vulnerability is limited to the 'wp-content' folder due to the wpcf7_is_file_path_in_content_dir() function in the Contact Form 7 plugin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote unauthenticated exploitation of the application (T1190) and direct arbitrary file reads from the local filesystem (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires server-side validation of client-supplied mfile[] POST parameters to block path traversal sequences, directly addressing the lack of input sanitization, canonicalization, and directory enforcement.
Mandates timely identification, reporting, and patching of the plugin flaw (as fixed in changeset 3508522), preventing exploitation of the vulnerable code in dnd_wpcf7_posted_data() and dnd_cf7_mail_components().
Enforces logical access controls on filesystem resources within wp-content to restrict the web server process from reading arbitrary files even if path traversal input is processed.