Does Drag and Drop Multiple File Upload for Contact Form 7 have any unpatched vulnerabilities?

No. All known vulnerabilities in Drag and Drop Multiple File Upload for Contact Form 7 have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Drag and Drop Multiple File Upload for Contact Form 7 compatible with WordPress 6.9.4?

According to WordPress.org data, Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Drag and Drop Multiple File Upload for Contact Form 7 compatible with PHP 5.2.4+?

Drag and Drop Multiple File Upload for Contact Form 7 requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is Drag and Drop Multiple File Upload for Contact Form 7's security score?

Drag and Drop Multiple File Upload for Contact Form 7 has a WP-Safety security score of 81/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Drag and Drop Multiple File Upload for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7

This simple plugin create Drag & Drop or choose Multiple File upload in your Confact Form 7 Forms.

60K active installs v1.3.9.6 PHP 5.2.4+ WP 3.0.1+ Updated Mar 5, 2026

ajax-uploadercontact-form-7drag-and-dropmultiple-fileupload

B · Generally Safe

CVEs total14

Unpatched0

Last CVEMar 5, 2026

Plugin page Download

Safety Verdict

Is Drag and Drop Multiple File Upload for Contact Form 7 Safe to Use in 2026?

Mostly Safe

Score 81/100

Drag and Drop Multiple File Upload for Contact Form 7 is generally safe to use. 14 past CVEs were resolved. Keep it updated.

14 known CVEsLast CVE: Mar 5, 2026Updated 29d ago

Risk Assessment

The plugin "drag-and-drop-multiple-file-upload-contact-form-7" v1.3.9.6 presents a mixed security posture. On the positive side, static analysis reveals a strong adherence to secure coding practices in certain areas. The absence of any critical or high severity taint flows, along with the use of prepared statements for all SQL queries and a high percentage of properly escaped output, indicates diligent development in preventing common vulnerabilities like SQL injection and XSS from within the analyzed code. Furthermore, the absence of unprotected AJAX handlers and REST API routes is a significant strength, minimizing the immediate attack surface.

However, the plugin's historical vulnerability record is a major cause for concern. A total of 14 known CVEs, including one critical and seven high severity vulnerabilities, points to a recurring pattern of security weaknesses. The common types of past vulnerabilities such as Missing Authorization, Path Traversal, and Cross-Site Request Forgery suggest systemic issues that have not been fully addressed. While there are currently no unpatched CVEs, the sheer volume and nature of historical issues, combined with the fact that the last vulnerability was dated in the future (2026-03-05), raises questions about the accuracy and completeness of the provided historical data. The presence of 3 nonce checks and 0 capability checks on the entry points is also a concern, as capability checks are crucial for enforcing granular access control.

In conclusion, while the current version shows improvements in some secure coding practices like SQL injection prevention and output escaping, the extensive and severe vulnerability history cannot be ignored. The plugin's past indicates a propensity for critical security flaws, and users should remain vigilant. The lack of capability checks on entry points is a notable weakness that warrants attention. The discrepancy in the last vulnerability date is also an anomaly that requires clarification.

Key Concerns

Extensive history of critical/high severity CVEs
Vulnerability history indicates recurring security weaknesses
Missing capability checks on entry points
Inaccurate 'last vulnerability' date (in the future)
0 capability checks on 6 AJAX handlers
99 total outputs, 15% improperly escaped
3 Nonce checks for 6 AJAX handlers

Vulnerabilities

Drag and Drop Multiple File Upload for Contact Form 7 Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

2 CVEs in 2022

2022

2 CVEs in 2023

2023

1 CVE in 2024

2024

5 CVEs in 2025

2025

3 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

Low

14 total CVEs

CVE-2026-3459high · 8.1Unrestricted Upload of File with Dangerous Type

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload

Mar 5, 2026 Patched in 1.3.9.6 (1d)

CVE-2025-14457low · 3.7Missing Authorization

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion

Jan 14, 2026 Patched in 1.3.9.3 (1d)

CVE-2025-14842medium · 6.1Unrestricted Upload of File with Dangerous Type

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload

Jan 6, 2026 Patched in 1.3.9.3 (1d)

CVE-2025-8464medium · 5.3Relative Path Traversal

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.0 - Directory Traversal via `wpcf7_guest_user_id` Cookie

Aug 15, 2025 Patched in 1.3.9.1 (1d)

CVE-2025-3515high · 8.1Unrestricted Upload of File with Dangerous Type

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks

Jun 16, 2025 Patched in 1.3.9.0 (1d)

CVE-2025-2328high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated Arbitrary File Deletion

Mar 27, 2025 Patched in 1.3.8.8 (1d)

CVE-2025-2485high · 7.5Deserialization of Untrusted Data

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated PHP Object Injection via PHAR to Arbitrary File Deletion

Mar 27, 2025 Patched in 1.3.8.9 (42d)

CVE-2024-12267medium · 5.3External Control of File Name or Path

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.8.5 - Limited Arbitrary File Deletion

Jan 30, 2025 Patched in 1.3.8.6 (1d)

CVE-2024-3717medium · 5.3Insecure Storage of Sensitive Information

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.7 - Sensitive Information Exposure

Apr 29, 2024 Patched in 1.3.7.8 (4d)

CVE-2023-5822high · 8.1Unrestricted Upload of File with Dangerous Type

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload

Nov 1, 2023 Patched in 1.3.7.4 (83d)

CVE-2022-45364high · 8.8Cross-Site Request Forgery (CSRF)

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.6.5 - Cross-Site Request Forgery in dnd_upload_cf7_upload and dnd_codedropz_upload_delete

Feb 24, 2023 Patched in 1.3.6.6 (333d)

CVE-2022-3282medium · 5.3Authorization Bypass Through User-Controlled Key

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.6.4 - File Upload Size Limit Bypass

Sep 26, 2022 Patched in 1.3.6.5 (484d)

CVE-2022-0595high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.6.2 - Unauthenticated Stored Cross-Site Scripting

Mar 7, 2022 Patched in 1.3.6.3 (687d)

CVE-2020-12800critical · 9.8Unrestricted Upload of File with Dangerous Type

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.3.2 - Arbitrary File Upload

Jun 4, 2020 Patched in 1.3.3.3 (1328d)

Code Analysis

Analyzed Mar 16, 2026

Drag and Drop Multiple File Upload for Contact Form 7 Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

84 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

85% escaped99 total outputs

Attack Surface

Drag and Drop Multiple File Upload for Contact Form 7 Attack Surface

Entry Points6

Unprotected0

AJAX Handlers 6

authwp_ajax_dnd_codedropz_uploadinc\dnd-upload-cf7.php:24

noprivwp_ajax_dnd_codedropz_uploadinc\dnd-upload-cf7.php:25

noprivwp_ajax_dnd_codedropz_upload_deleteinc\dnd-upload-cf7.php:28

authwp_ajax_dnd_codedropz_upload_deleteinc\dnd-upload-cf7.php:29

authwp_ajax__wpcf7_check_nonceinc\dnd-upload-cf7.php:32

noprivwp_ajax__wpcf7_check_nonceinc\dnd-upload-cf7.php:33

WordPress Hooks 19

actionadmin_footeradmin\form-generator-v2.php:2

actionwpcf7_initinc\dnd-upload-cf7.php:17

actionwpcf7_enqueue_scriptsinc\dnd-upload-cf7.php:18

actionplugins_loadedinc\dnd-upload-cf7.php:21

filterwpcf7_posted_datainc\dnd-upload-cf7.php:36

actionwpcf7_before_send_mailinc\dnd-upload-cf7.php:37

actionwpcf7_mail_componentsinc\dnd-upload-cf7.php:38

actiondnd_cf7_daily_eventinc\dnd-upload-cf7.php:41

filterplugin_row_metainc\dnd-upload-cf7.php:44

filterupload_mimesinc\dnd-upload-cf7.php:47

actionadmin_menuinc\dnd-upload-cf7.php:53

actionwp_footerinc\dnd-upload-cf7.php:56

actionbefore_delete_postinc\dnd-upload-cf7.php:59

filterwpcf7_spaminc\dnd-upload-cf7.php:127

actionadmin_initinc\dnd-upload-cf7.php:216

filterwpcf7_form_enctypeinc\dnd-upload-cf7.php:661

filterwpcf7_validate_mfileinc\dnd-upload-cf7.php:715

filterwpcf7_validate_mfile*inc\dnd-upload-cf7.php:716

actionwpcf7_admin_initinc\dnd-upload-cf7.php:760

Scheduled Events 1

dnd_cf7_daily_event

Maintenance & Trust

Drag and Drop Multiple File Upload for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 5, 2026

PHP min version5.2.4

Downloads1.3M

Community Trust

Rating96/100

Number of ratings94

Active installs60K

Alternatives

Drag and Drop Multiple File Upload for Contact Form 7 Alternatives

Drag and Drop Multiple File Upload for WooCommerce

drag-and-drop-multiple-file-upload-for-woocommerce

Drag and Drop Multiple File Uploader is a simple, straightforward WordPress plugin extension for WooCommerce.

5K 4 CVEs

MultiLine Files for Contact Form 7

multiline-files-for-contact-form-7

Upload unlimited files to Contact Form 7 with an intuitive interface, file management, and automatic ZIP compression for email delivery.

10K 1 CVE

Multifile Upload Field for Contact Form 7

multifile-upload-field-for-contact-form-7

Multiple files upload field addon for Contact Form 7

5K No CVEs

Images Optimize and Upload CF7

images-optimize-and-upload-cf7

Allows uploading and client-side compression of multiple images in Contact Form 7.

700 1 CVE

Contact Form 7 Dropbox

cf7-dropbox

A simple add-on for Contact Form 7 upload file on dropbox.

200 No CVEs

Developer Profile

Drag and Drop Multiple File Upload for Contact Form 7 Developer Profile

Glen Don Mongaya

4 plugins · 65K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

190 days

View full developer profile

Detection Fingerprints

How We Detect Drag and Drop Multiple File Upload for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/css/dnd-upload-cf7-frontend.css/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/dnd-upload-cf7-frontend.js/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/jquery.validate.min.js/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/additional-methods.min.js/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/css/dnd-upload-cf7-admin.css/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/dnd-upload-cf7-admin.js

Script Paths

/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/dnd-upload-cf7-frontend.js/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/jquery.validate.min.js/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/additional-methods.min.js

Version Parameters

/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/css/dnd-upload-cf7-frontend.css?ver=/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/dnd-upload-cf7-frontend.js?ver=/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/jquery.validate.min.js?ver=/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/additional-methods.min.js?ver=/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/css/dnd-upload-cf7-admin.css?ver=/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/inc/js/dnd-upload-cf7-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

dnd-upload-cf7-dropzonednd-upload-cf7-file-previewdnd-upload-cf7-file-progressdnd-upload-cf7-drag-over

HTML Comments

+10 more

Data Attributes

data-nonce-actiondata-nonce-namedata-upload-urldata-file-typedata-max-file-sizedata-max-file-count

JS Globals

dnd_cf7_paramsdnd_codedropz_upload_nonce

FAQ