GHSA-x2rq-6f4j-qh68MediumCVSS 4.4
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to...
🔗 CVE IDs covered (1)
📋 Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🔗 References (10)
- https://nvd.nist.gov/vuln/detail/CVE-2026-8991
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/assets/js/codedropz-uploader-min.js#L15
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L1445
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L587
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.7/assets/js/codedropz-uploader-min.js#L15
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.7/inc/dnd-upload-cf7.php#L1445
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.7/inc/dnd-upload-cf7.php#L587
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3508522%40drag-and-drop-multiple-file-upload-contact-form-7&new=3508522%40drag-and-drop-multiple-file-upload-contact-form-7&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01d9b7c1-8f34-4c87-af68-a5e6c698b2d8?source=cve
- https://github.com/advisories/GHSA-x2rq-6f4j-qh68