Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 16 known issues Latest disclosed Apr 17, 2026

Drag and Drop Multiple File Upload for Contact Form 7 Vulnerabilities

Q: Which Drag and Drop Multiple File Upload for Contact Form 7 CVEs are tracked?

Drag and Drop Multiple File Upload for Contact Form 7 tracked CVEs include CVE-2020-12800, CVE-2025-2328, CVE-2022-45364, CVE-2026-5718, and CVE-2026-3459.

Q: How many Drag and Drop Multiple File Upload for Contact Form 7 vulnerabilities have patch guidance?

16 of 16 tracked Drag and Drop Multiple File Upload for Contact Form 7 records include a published patch path.

Review known vulnerability records for the WordPress plugin Drag and Drop Multiple File Upload for Contact Form 7 (`drag-and-drop-multiple-file-upload-contact-form-7`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-5718, CVE-2026-5710 and CVE-2026-3459, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 17, 2026

Priority CVE Quick Links

Fast paths into Drag and Drop Multiple File Upload for Contact Form 7 CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2020-12800 Critical 1.3.3.3

CVE-2020-12800 Drag and Drop Multiple File Upload for Contact Form 7 Remote Code Execution

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.3.2 - Arbitrary File Upload

CVE-2025-2328 High 1.3.8.8

CVE-2025-2328 Drag and Drop Multiple File Upload for Contact Form 7 Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated Arbitrary File Deletion

CVE-2022-45364 High 1.3.6.6

CVE-2022-45364 Drag and Drop Multiple File Upload for Contact Form 7 File Upload

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.6.5 - Cross-Site Request Forgery in dnd_upload_cf7_upload and dnd_codedropz_upload_delete

CVE-2026-5718 High 1.3.9.7

CVE-2026-5718 Drag and Drop Multiple File Upload for Contact Form 7 Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass

CVE-2026-3459 High 1.3.9.6

CVE-2026-3459 Drag and Drop Multiple File Upload for Contact Form 7 Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload

CVE-2025-3515 High 1.3.9.0

CVE-2025-3515 Drag and Drop Multiple File Upload for Contact Form 7 Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks

CVE-2023-5822 High 1.3.7.4

CVE-2023-5822 Drag and Drop Multiple File Upload for Contact Form 7 Remote Code Execution

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload

CVE-2026-5710 High 1.3.9.7

CVE-2026-5710 Drag and Drop Multiple File Upload for Contact Form 7 File Upload

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Drag and Drop Multiple File Upload for Contact Form 7 so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

16 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 9 high severity findings.

Recent CVEs

CVE-2026-5718, CVE-2026-5710 and CVE-2026-3459

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-5718 High Patch path listed

CVE-2026-5718: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient f...

Published

Apr 17, 2026

Patch Status

1.3.9.7

Open CVE-2026-5718 Report

CVE-2026-5710 High Patch path listed

CVE-2026-5710: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is...

Published

Apr 17, 2026

Patch Status

1.3.9.7

Open CVE-2026-5710 Report

CVE-2026-3459 High Patch path listed

CVE-2026-3459: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' f...

Published

Mar 05, 2026

Patch Status

1.3.9.6

Open CVE-2026-3459 Report

Known Vulnerabilities

Reports for Drag and Drop Multiple File Upload for Contact Form 7

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-5718

CVE-2026-5718: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces...

Published

Apr 17, 2026

Patched Release

1.3.9.7

Affected Versions

Versions up to 1.3.9.6

Next Step

Update to 1.3.9.7 or newer if supported.

Open CVE-2026-5718 Report Open CVE Reference

Plugin High Patched: Yes CVE-2026-5710

CVE-2026-5710: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[] POST values as the source of truth for em...

Published

Apr 17, 2026

Patched Release

1.3.9.7

Affected Versions

Versions up to 1.3.9.6

Next Step

Update to 1.3.9.7 or newer if supported.

Open CVE-2026-5710 Report Open CVE Reference

Plugin High Patched: Yes CVE-2026-3459

CVE-2026-3459: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthentica...

Published

Mar 05, 2026

Patched Release

1.3.9.6

Affected Versions

Versions up to 1.3.9.5

Next Step

Update to 1.3.9.6 or newer if supported.

Open CVE-2026-3459 Report Open CVE Reference

Plugin Low Patched: Yes CVE-2025-14457

CVE-2025-14457: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible f...

Published

Jan 14, 2026

Patched Release

1.3.9.3

Affected Versions

Versions up to 1.3.9.2

Next Step

Update to 1.3.9.3 or newer if supported.

Open CVE-2025-14457 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-14842

CVE-2025-14842: Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unaut...

Published

Jan 06, 2026

Patched Release

1.3.9.3

Affected Versions

Versions up to 1.3.9.2

Next Step

Update to 1.3.9.3 or newer if supported.

Open CVE-2025-14842 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-8464

CVE-2025-8464: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.0 - Directory Traversal via `wpcf7_guest_user_id` Cookie

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files ou...

Published

Aug 15, 2025

Patched Release

1.3.9.1

Affected Versions

Versions up to 1.3.9.0

Next Step

Update to 1.3.9.1 or newer if supported.

Open CVE-2025-8464 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-3515

CVE-2025-3515: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin...

Published

Jun 16, 2025

Patched Release

1.3.9.0

Affected Versions

Versions up to 1.3.8.9

Next Step

Update to 1.3.9.0 or newer if supported.

Open CVE-2025-3515 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-2485

CVE-2025-2485: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated PHP Object Injection via PHAR to Arbitrary File Deletion

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attacker...

Published

Mar 27, 2025

Patched Release

1.3.8.9

Affected Versions

Versions up to 1.3.8.8

Next Step

Update to 1.3.8.9 or newer if supported.

Open CVE-2025-2485 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-2328

CVE-2025-2328: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated Arbitrary File Deletion

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for u...

Published

Mar 27, 2025

Patched Release

1.3.8.8

Affected Versions

Versions up to 1.3.8.7

Next Step

Update to 1.3.8.8 or newer if supported.

Open CVE-2025-2328 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-12267

CVE-2024-12267: Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.8.5 - Limited Arbitrary File Deletion

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possib...

Published

Jan 30, 2025

Patched Release

1.3.8.6

Affected Versions

Versions up to 1.3.8.5

Next Step

Update to 1.3.8.6 or newer if supported.

Open CVE-2024-12267 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-3717

CVE-2024-3717: Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.7 - Sensitive Information Exposure

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthentic...

Published

Apr 29, 2024

Patched Release

1.3.7.8

Affected Versions

Versions up to 1.3.7.7

Next Step

Update to 1.3.7.8 or newer if supported.

Open CVE-2024-3717 Report Open CVE Reference

Plugin High Patched: Yes CVE-2023-5822

CVE-2023-5822: Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload

Published

Nov 01, 2023

Patched Release

1.3.7.4

Affected Versions

Versions up to 1.3.7.3

Next Step

Update to 1.3.7.4 or newer if supported.

Open CVE-2023-5822 Report Open CVE Reference