{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5364/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5364"}],"_cs_exploited":false,"_cs_products":["Drag and Drop File Upload for Contact Form 7 plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","file-upload","rce","plugin","CVE-2026-5364"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like \u0026lsquo;$\u0026rsquo; during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using a vulnerable version (\u0026lt;= 1.1.3) of the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the plugin\u0026rsquo;s upload endpoint, typically \u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a file with a manipulated extension, such as \u003ccode\u003eevil.php$.jpg\u003c/code\u003e, where \u003ccode\u003eevil.php\u003c/code\u003e is the malicious PHP payload and \u003ccode\u003e$.jpg\u003c/code\u003e is designed to be sanitized to \u003ccode\u003e.jpg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efile type\u003c/code\u003e parameter in the request to reflect the original manipulated file extension (\u003ccode\u003eevil.php$.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.\u003c/li\u003e\n\u003cli\u003eThe plugin sanitizes the extension, removing the \u003ccode\u003e$\u003c/code\u003e character, resulting in a file saved with the extension \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the uploaded PHP file via a direct HTTP request to \u003ccode\u003e/wp-content/uploads/\u0026lt;random_name\u0026gt;.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e.htaccess\u003c/code\u003e restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of \u003ccode\u003e.htaccess\u003c/code\u003e and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin\u0026rsquo;s upload endpoint (\u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious File Upload via Drag and Drop CF7\u003c/code\u003e to identify exploitation attempts in web server logs (cs-uri-query).\u003c/li\u003e\n\u003cli\u003eReview and harden \u003ccode\u003e.htaccess\u003c/code\u003e configurations to ensure that PHP execution is restricted in the \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-wordpress-plugin-upload/","summary":"The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.","title":"WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-plugin-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-5364","version":"https://jsonfeed.org/version/1.1"}