Cyber Resilience

CVE-2026-5718

High

Published: 17 April 2026

Published
17 April 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0418 89.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5718 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is affected by an arbitrary file upload vulnerability in versions up to and including 1.3.9.7. The root cause is insufficient file type validation that occurs when administrators configure custom blacklist types, which replaces the plugin's default dangerous extension denylist instead of merging with it, combined with a bypass of the wpcf7_antiscript_file_name() sanitization function for filenames containing non-ASCII characters. This issue is tracked as CWE-434 and carries a CVSS 3.1 score of 8.1.

Unauthenticated attackers can exploit the flaw over the network by submitting specially crafted uploads through Contact Form 7 instances that use the plugin, resulting in the placement of arbitrary files such as PHP scripts on the server and subsequent remote code execution.

The referenced changesets document modifications to the upload handling logic in dnd-upload-cf7.php that were intended to address the original report, though the vulnerability description notes that version 1.3.9.7 only partially resolved the issue before a bypass was identified.

EPSS remains flat at a peak and current value of 0.0425 with no material rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist…

more

types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables T1190 (Exploit Public-Facing Application) for unauthenticated RCE and facilitates T1100 (Web Shell) via PHP file uploads.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file types, extensions, and filenames on upload, addressing the root cause of the blacklist-replacement and non-ASCII bypass flaws.

prevent

Requires malicious-code scanning and blocking mechanisms that would detect and stop PHP or other executable files before they are written to the server.

prevent

Limits system functionality by disabling or restricting unauthenticated file-upload capabilities and dangerous file-handling features in the Contact Form 7 plugin.

References