<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Drag and Drop Multiple File Upload for Contact Form 7 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/drag-and-drop-multiple-file-upload-for-contact-form-7/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/drag-and-drop-multiple-file-upload-for-contact-form-7/feed.xml" rel="self" type="application/rss+xml"/><item><title>WordPress Drag and Drop Multiple File Upload Plugin Path Traversal Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-wp-drag-drop-path-trav/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wp-drag-drop-path-trav/</guid><description>The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files within the 'wp-content' directory readable by the web server process.</description><content:encoded><![CDATA[<p>The Drag and Drop Multiple File Upload plugin for Contact Form 7, versions up to and including 1.3.9.6, contains a path traversal vulnerability (CVE-2026-5710). This flaw allows unauthenticated attackers to read arbitrary files readable by the web server process within the WordPress 'wp-content' directory. The vulnerability stems from the plugin's reliance on client-supplied <code>mfile[]</code> POST values for email attachment selection without proper server-side validation. Specifically, the plugin lacks path canonicalization, directory containment boundary enforcement, and upload provenance checks, making it susceptible to path traversal attacks. Successful exploitation results in sensitive file disclosure via email attachments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site using the vulnerable &quot;Drag and Drop Multiple File Upload for Contact Form 7&quot; plugin.</li>
<li>The attacker crafts a malicious HTTP POST request to a Contact Form 7 endpoint on the WordPress site.</li>
<li>The POST request includes a <code>mfile[]</code> parameter containing a path traversal sequence (e.g., <code>../../../../wp-config.php</code>).</li>
<li>The <code>dnd_wpcf7_posted_data()</code> function processes the <code>mfile[]</code> value without sanitization, appending the user-supplied filename to the plugin's upload URL.</li>
<li>The <code>dnd_cf7_mail_components()</code> function converts the URL to a filesystem path using <code>str_replace()</code>.</li>
<li>The <code>file_exists()</code> function is used as a check, but the path traversal allows access to files outside the intended directory.</li>
<li>The targeted file (e.g., <code>wp-config.php</code>) is attached to an outgoing Contact Form 7 email as an attachment.</li>
<li>The attacker retrieves the email (if possible) or monitors for successful email transmission, gaining access to the contents of the targeted file.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this path traversal vulnerability allows unauthenticated attackers to read arbitrary files within the 'wp-content' directory that are accessible to the web server process. This may include sensitive configuration files (e.g., <code>wp-config.php</code> containing database credentials), plugin code, and uploaded media. The impact is limited to the 'wp-content' directory due to the <code>wpcf7_is_file_path_in_content_dir()</code> function within the Contact Form 7 plugin which performs a check to ensure that the requested file is within that folder.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the &quot;Drag and Drop Multiple File Upload for Contact Form 7&quot; plugin to a version higher than 1.3.9.6 to patch CVE-2026-5710.</li>
<li>Deploy the provided Sigma rule <code>Detect WordPress Drag and Drop Plugin Path Traversal</code> to identify attempts to exploit this vulnerability via HTTP requests.</li>
<li>Monitor web server logs for suspicious requests containing path traversal sequences (e.g., <code>../</code>, <code>..%2f</code>) in the <code>mfile[]</code> parameter to detect exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>path-traversal</category><category>arbitrary-file-read</category><category>plugin-vulnerability</category></item></channel></rss>