CVE-2026-5718
Published: 17 April 2026
Summary
CVE-2026-5718 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is affected by an arbitrary file upload vulnerability in versions up to and including 1.3.9.7. The root cause is insufficient file type validation that occurs when administrators configure custom blacklist types, which replaces the plugin's default dangerous extension denylist instead of merging with it, combined with a bypass of the wpcf7_antiscript_file_name() sanitization function for filenames containing non-ASCII characters. This issue is tracked as CWE-434 and carries a CVSS 3.1 score of 8.1.
Unauthenticated attackers can exploit the flaw over the network by submitting specially crafted uploads through Contact Form 7 instances that use the plugin, resulting in the placement of arbitrary files such as PHP scripts on the server and subsequent remote code execution.
The referenced changesets document modifications to the upload handling logic in dnd-upload-cf7.php that were intended to address the original report, though the vulnerability description notes that version 1.3.9.7 only partially resolved the issue before a bypass was identified.
EPSS remains flat at a peak and current value of 0.0425 with no material rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23459
Vulnerability details
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist…
more
types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin enables T1190 (Exploit Public-Facing Application) for unauthenticated RCE and facilitates T1100 (Web Shell) via PHP file uploads.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of file types, extensions, and filenames on upload, addressing the root cause of the blacklist-replacement and non-ASCII bypass flaws.
Requires malicious-code scanning and blocking mechanisms that would detect and stop PHP or other executable files before they are written to the server.
Limits system functionality by disabling or restricting unauthenticated file-upload capabilities and dangerous file-handling features in the Contact Form 7 plugin.