Does Drag and Drop File Upload for Contact Form 7 have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Drag and Drop File Upload for Contact Form 7 compatible with WordPress 6.9.4?

According to WordPress.org data, Drag and Drop File Upload for Contact Form 7 1.1.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Drag and Drop File Upload for Contact Form 7 updated?

Drag and Drop File Upload for Contact Form 7 was last updated on Apr 3, 2026. Frequent updates are generally a positive security signal.

What is Drag and Drop File Upload for Contact Form 7's security score?

Drag and Drop File Upload for Contact Form 7 has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Drag and Drop File Upload for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/drag-and-drop-file-upload-for-contact-form-7

Best Drag & Drop File Upload solution for Contact Form 7. Professional, fast AJAX-based uploading, and fully mobile responsive.

60 active installs v1.1.4 PHP + WP 5.0+ Updated Apr 3, 2026

cf7-uploadcontact-form-7drag-and-dropfile-uploadmultiple-file-upload

A · Safe

CVEs total1

Unpatched0

Last CVEApr 23, 2026

Plugin page Download

Safety Verdict

Is Drag and Drop File Upload for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 97/100

Drag and Drop File Upload for Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 23, 2026Updated 1mo ago

Risk Assessment

The plugin exhibits a generally strong security posture, with several positive indicators. The static analysis reveals a significant emphasis on secure coding practices, including 100% usage of prepared statements for SQL queries and an exceptionally high percentage (99%) of properly escaped outputs. The absence of known CVEs and a clean vulnerability history further contribute to this positive assessment, suggesting a commitment to maintaining a secure codebase over time. However, there are areas for improvement that introduce potential risks. The presence of two flows with unsanitized paths, even without a critical or high severity rating, warrants attention as it indicates a potential for path traversal vulnerabilities if not handled with extreme care by the plugin's logic. Additionally, the lack of capability checks on any of the AJAX handlers, despite the presence of nonce checks, means that even authenticated users might be able to trigger actions they shouldn't have permission for. While the attack surface is moderate and all identified entry points have some form of check, these missing capability checks represent a weakness in privilege escalation prevention.

Key Concerns

Flows with unsanitized paths found
No capability checks on AJAX handlers

Vulnerabilities

1 published

Drag and Drop File Upload for Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2026-5364high · 8.1Unrestricted Upload of File with Dangerous Type

Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass

Apr 23, 2026 Patched in 1.1.4 (1d)

Version History

Drag and Drop File Upload for Contact Form 7 Release Timeline

v1.1.4Current

v1.1.01 CVE

CVE-2026-5364

Code Analysis

Analyzed Mar 16, 2026

Drag and Drop File Upload for Contact Form 7 Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

88 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

99% escaped89 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

cf7_file_uploads (backend\index.php:154)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Drag and Drop File Upload for Contact Form 7 Attack Surface

Entry Points5

Unprotected0

AJAX Handlers 5

authwp_ajax_file_uploads_removebackend\index.php:11

noprivwp_ajax_file_uploads_removebackend\index.php:12

authwp_ajax_cf7_file_uploadsbackend\index.php:14

noprivwp_ajax_cf7_file_uploadsbackend\index.php:15

authwp_ajax_yeekit_dismiss_notyyeekit\document.php:13

WordPress Hooks 19

actionwpcf7_initbackend\index.php:6

filterwpcf7_validate_file_uploadsbackend\index.php:7

filterwpcf7_validate_file_uploads*backend\index.php:8

actionwpcf7_admin_initbackend\index.php:9

filterwpcf7_mail_componentsbackend\index.php:10

filterwpcf7_messagesbackend\index.php:13

actionyeeaddons_cf7_settings_uploadsbackend\index.php:16

actionadmin_menubackend\settings.php:5

actionadmin_initbackend\settings.php:6

actionremove_files_dropfilesdrag-and-drop-file-upload-for-contact-form-7.php:23

actionwp_enqueue_scriptsfrontend\index.php:5

actionadmin_menuyeekit\document.php:10

actionadmin_enqueue_scriptsyeekit\document.php:11

filterfluentform_global_addonsyeekit\document.php:12

actionadmin_noticesyeekit\document.php:14

actionelementor/element/form/section_form_options/after_section_endyeekit\document.php:15

actionadmin_inityeekit\document.php:17

actionelementor/editor/after_enqueue_stylesyeekit\document.php:19

filterhttp_responseyeekit\document.php:208

Scheduled Events 1

remove_files_dropfiles

Maintenance & Trust

Drag and Drop File Upload for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedApr 3, 2026

PHP min version

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs60

Alternatives

Drag and Drop File Upload for Contact Form 7 Alternatives

MultiLine Files for Contact Form 7

multiline-files-for-contact-form-7

Upload unlimited files to Contact Form 7 with an intuitive interface, file management, and automatic ZIP compression for email delivery.

10K 1 CVE

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

This simple plugin create Drag & Drop or choose Multiple File upload in your Confact Form 7 Forms.

60K 16 CVEs

Images Optimize and Upload CF7

images-optimize-and-upload-cf7

Allows uploading and client-side compression of multiple images in Contact Form 7.

600 1 CVE

Contact Form 7 Dropbox

cf7-dropbox

A simple add-on for Contact Form 7 upload file on dropbox.

200 No CVEs

Mega Forms – Drag & Drop Form Builder with Multi-Step & Conditional Logic

mega-forms

Contact form builder that allows you to create forms for any purpose. Drag & drop form fields to build modern, professional contact forms in minutes.

200 2 CVEs

Developer Profile

Drag and Drop File Upload for Contact Form 7 Developer Profile

add-ons.org

59 plugins · 26K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

48 days

View full developer profile

Detection Fingerprints

How We Detect Drag and Drop File Upload for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/drag-and-drop-file-upload-for-contact-form-7/frontend/css/cf7-dropfiles.css/wp-content/plugins/drag-and-drop-file-upload-for-contact-form-7/frontend/js/dropfiles-cf7.js

Script Paths

/wp-content/plugins/drag-and-drop-file-upload-for-contact-form-7/frontend/js/dropfiles-cf7.js

Version Parameters

drag-and-drop-file-upload-for-contact-form-7/frontend/css/cf7-dropfiles.css?ver=drag-and-drop-file-upload-for-contact-form-7/frontend/js/dropfiles-cf7.js?ver=

HTML / DOM Fingerprints

CSS Classes

yeekit_addons_listyee-installyee-pro

Data Attributes

data-yee-type

JS Globals

cf7_file_uploads

FAQ