{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/drag-and-drop-multiple-file-upload-for-contact-form-7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5710"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Drag and Drop Multiple File Upload for Contact Form 7"],"_cs_severities":["high"],"_cs_tags":["wordpress","path-traversal","arbitrary-file-read","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Drag and Drop Multiple File Upload plugin for Contact Form 7, versions up to and including 1.3.9.6, contains a path traversal vulnerability (CVE-2026-5710). This flaw allows unauthenticated attackers to read arbitrary files readable by the web server process within the WordPress 'wp-content' directory. The vulnerability stems from the plugin's reliance on client-supplied \u003ccode\u003emfile[]\u003c/code\u003e POST values for email attachment selection without proper server-side validation. Specifically, the plugin lacks path canonicalization, directory containment boundary enforcement, and upload provenance checks, making it susceptible to path traversal attacks. Successful exploitation results in sensitive file disclosure via email attachments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable \u0026quot;Drag and Drop Multiple File Upload for Contact Form 7\u0026quot; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to a Contact Form 7 endpoint on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003emfile[]\u003c/code\u003e parameter containing a path traversal sequence (e.g., \u003ccode\u003e../../../../wp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ednd_wpcf7_posted_data()\u003c/code\u003e function processes the \u003ccode\u003emfile[]\u003c/code\u003e value without sanitization, appending the user-supplied filename to the plugin's upload URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ednd_cf7_mail_components()\u003c/code\u003e function converts the URL to a filesystem path using \u003ccode\u003estr_replace()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efile_exists()\u003c/code\u003e function is used as a check, but the path traversal allows access to files outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe targeted file (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e) is attached to an outgoing Contact Form 7 email as an attachment.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the email (if possible) or monitors for successful email transmission, gaining access to the contents of the targeted file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows unauthenticated attackers to read arbitrary files within the 'wp-content' directory that are accessible to the web server process. This may include sensitive configuration files (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e containing database credentials), plugin code, and uploaded media. The impact is limited to the 'wp-content' directory due to the \u003ccode\u003ewpcf7_is_file_path_in_content_dir()\u003c/code\u003e function within the Contact Form 7 plugin which performs a check to ensure that the requested file is within that folder.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026quot;Drag and Drop Multiple File Upload for Contact Form 7\u0026quot; plugin to a version higher than 1.3.9.6 to patch CVE-2026-5710.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect WordPress Drag and Drop Plugin Path Traversal\u003c/code\u003e to identify attempts to exploit this vulnerability via HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e) in the \u003ccode\u003emfile[]\u003c/code\u003e parameter to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wp-drag-drop-path-trav/","summary":"The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files within the 'wp-content' directory readable by the web server process.","title":"WordPress Drag and Drop Multiple File Upload Plugin Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-drag-drop-path-trav/"}],"language":"en","title":"CraftedSignal Threat Feed - Drag and Drop Multiple File Upload for Contact Form 7","version":"https://jsonfeed.org/version/1.1"}