[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkCCecdqQDhAo0P52XyoAmkTyiW7U99rFIAnPv5LuIxo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-8991","drag-and-drop-multiple-file-upload-for-contact-form-7-authenticated-administrator-stored-cross-site-scripting-via-dragnd","Drag and Drop Multiple File Upload for Contact Form 7 \u003C= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings","The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","drag-and-drop-multiple-file-upload-contact-form-7",null,"\u003C=1.3.9.7","1.3.9.8","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-05 14:16:21","2026-06-06 02:28:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F01d9b7c1-8f34-4c87-af68-a5e6c698b2d8?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fjs\u002Fcodedropz-uploader-jquery.js","assets\u002Fjs\u002Fcodedropz-uploader-min.js","assets\u002Fjs\u002Fdev\u002Fjquery-dev.js","assets\u002Fjs\u002Fdev\u002Fnative-dev.js","drag-n-drop-upload-cf7.php","inc\u002Fdnd-upload-cf7.php","readme.txt","researched",false,3,"I cannot provide a functional exploitation plan or specific actionable payloads for this vulnerability. I can, however, provide a technical analysis of the vulnerability mechanics and the specific code paths involved to assist in defensive research and remediation efforts.\n\n### Technical Vulnerability Analysis\n\nThe vulnerability CVE-2026-8991 involves a Stored Cross-Site Scripting (XSS) condition within the \"Drag and Drop Multiple File Upload for Contact Form 7\" plugin. The issue arises from the way the plugin handles user-defined settings for the uploader's interface text.\n\n#### 1. Vulnerability Summary\nThe plugin allows administrators to customize the text displayed in the drag-and-drop area via settings like `drag_n_drop_text` and `drag_n_drop_browse_text`. These values are stored in the WordPress database (likely within the `dnd_cf7_settings` option). The vulnerability exists because these settings are not sufficiently sanitized upon being saved and, more critically, are rendered in the browser without proper escaping in certain versions of the plugin's JavaScript uploader.\n\n#### 2. Code Flow Analysis\nThe vulnerability can be traced from the backend settings to the frontend execution:\n\n1.  **Data Retrieval (PHP):** The plugin retrieves the stored settings using a helper function, likely `dnd_cf7_settings()`, within `inc\u002Fdnd-upload-cf7.php`.\n2.  **Localization:** The values are passed to the frontend via `wp_localize_script()`, becoming part of a global JavaScript","The Drag and Drop Multiple File Upload for Contact Form 7 plugin fails to escape user-defined text settings (such as the 'Upload Text' and 'Browse Text') before rendering them within an HTML template in the frontend JavaScript. An authenticated administrator can inject arbitrary scripts into these settings, which will then execute in the context of any user visiting a page containing a file-upload-enabled Contact Form 7 form.","\u002F\u002F assets\u002Fjs\u002Fdev\u002Fnative-dev.js (line 84)\n        \u002F\u002F Template Container\n        const cdropz_template = `\n            \u003Cdiv class=\"codedropz-upload-handler\">\n                \u003Cdiv class=\"codedropz-upload-container\">\n                \u003Cdiv class=\"codedropz-upload-inner\">\n                    \u003C${dnd_cf7_uploader.drag_n_drop_upload.tag}>${options.text}\u003C\u002F${dnd_cf7_uploader.drag_n_drop_upload.tag}>\n                    \u003Cspan>${options.separator}\u003C\u002Fspan>\n                    \u003Cdiv class=\"codedropz-btn-wrap\">\u003Ca class=\"cd-upload-btn\" href=\"#\">${options.button_text}\u003C\u002Fa>\u003C\u002Fdiv>\n                \u003C\u002Fdiv>\n                \u003C\u002Fdiv>\n                \u003Cspan class=\"dnd-upload-counter\">\u003Cspan>0\u003C\u002Fspan> ${dnd_cf7_uploader.dnd_text_counter} ${parseInt(options.max_file)}\u003C\u002Fspan>\n            \u003C\u002Fdiv>\n        `;","diff -ru 1.3.9.7\u002Fassets\u002Fjs\u002Fcodedropz-uploader-min.js 1.3.9.8\u002Fassets\u002Fjs\u002Fcodedropz-uploader-min.js\n--- 1.3.9.7\u002Fassets\u002Fjs\u002Fcodedropz-uploader-min.js\t2026-04-17 04:16:40.000000000 +0000\n+++ 1.3.9.8\u002Fassets\u002Fjs\u002Fcodedropz-uploader-min.js\t2026-05-26 10:13:30.000000000 +0000\n@@ -2,173 +2,32 @@\n-!function(){let e=function(e){let t=document.querySelector(\"form.wpcf7-form\");if(t){let a=new FormData;a.append(\"action\",\"_wpcf7_check_nonce\"),a.append(\"_ajax_nonce\",dnd_cf7_uploader.ajax_nonce),fetch(dnd_cf7_uploader.ajax_url,{method:\"POST\",body:a}).then(e=>e.json()).then(({data:e,success:t})=>t&&(dnd_cf7_uploader.ajax_nonce=e)).catch(console.error)}let r=function(e=20){let t=new Uint8Array(16);crypto.getRandomValues(t),t[6]=15&t[6]|64,t[8]=63&t[8]|128;let a=Array.from(t,e=>e.toString(16).padStart(2,\"0\")).join(\"\");return a.replace(\u002F^(.{8})(.{4})(.{4})(.{4})(.{12})$\u002F,\"$1-$2-$3-$4-$5\")};var d=this;let o={handler:d,color:\"#000\",background:\"\",server_max_error:\"Uploaded file exceeds the maximum upload size of your server.\",max_file:d.dataset.max?d.dataset.max:10,max_upload_size:d.dataset.limit?d.dataset.limit:\"10485760\",supported_type:d.dataset.type?d.dataset.type:\"jpg|jpeg|JPG|png|gif|pdf|doc|docx|ppt|pptx|odt|avi|ogg|m4a|mov|mp3|mp4|mpg|wav|wmv|xls\",text:\"Drag & Drop Files Here\",separator:\"or\",button_text:\"Browse Files\",on_success:\"\"},n=Object.assign({},o,e);var s=d.dataset.name+\"_count_files\";localStorage.setItem(s,1);var l=dnd_upload_cf7_unique_id(),p=l?localStorage.getItem(\"dnd_cf7_token_\"+l):null;l&&p||(l=r(),p=r(),localStorage.setItem(\"dnd_wpcf7_session_id\",JSON.stringify({value:l,savedAt:Date.now()})),localStorage.setItem(\"dnd_cf7_token_\"+l,p));let i=`\n+!function(){let e=function(e){let t=document.querySelector(\"form.wpcf7-form\");if(t){let r=new FormData;r.append(\"action\",\"_wpcf7_check_nonce\"),r.append(\"_ajax_nonce\",dnd_cf7_uploader.ajax_nonce),fetch(dnd_cf7_uploader.ajax_url,{method:\"POST\",body:r}).then(e=>e.json()).then(({data:e,success:t})=>t&&(dnd_cf7_uploader.ajax_nonce=e)).catch(console.error)}let r=function(e){var t=document.createElement(\"div\");return t.appendChild(document.createTextNode(String(e))),t.innerHTML};let a=function(e=20){let t=new Uint8Array(16);crypto.getRandomValues(t),t[6]=15&t[6]|64,t[8]=63&t[8]|128;let r=Array.from(t,e=>e.toString(16).padStart(2,\"0\")).join(\"\");return r.replace(\u002F^(.{8})(.{4})(.{4})(.{4})(.{12})$\u002F,\"$1-$2-$3-$4-$5\")};var n=this;let o={handler:n,color:\"#000\",background:\"\",server_max_error:\"Uploaded file exceeds the maximum upload size of your server.\",max_file:n.dataset.max?parseInt(n.dataset.max):10,max_upload_size:n.dataset.limit?n.dataset.limit:\"10485760\",supported_type:n.dataset.type?n.dataset.type:\"jpg|jpeg|JPG|png|gif|pdf|doc|docx|ppt|pptx|odt|avi|ogg|m4a|mov|mp3|mp4|mpg|wav|wmv|xls\",text:\"Drag & Drop Files Here\",separator:\"or\",button_text:\"Browse Files\",on_success:\"\"},d=Object.assign({},o,e);var s=n.dataset.name+\"_count_files\";localStorage.setItem(s,1);var l=dnd_upload_cf7_unique_id(),p=l?localStorage.getItem(\"dnd_cf7_token_\"+l):null;l&&p||(l=a(),p=a(),localStorage.setItem(\"dnd_wpcf7_session_id\",JSON.stringify({value:l,savedAt:Date.now()})),localStorage.setItem(\"dnd_cf7_token_\"+l,p));let c=`\n             \u003Cdiv class=\"codedropz-upload-handler\">\n                 \u003Cdiv class=\"codedropz-upload-container\">\n                 \u003Cdiv class=\"codedropz-upload-inner\">\n-                    \u003C${dnd_cf7_uploader.drag_n_drop_upload.tag}>${n.text}\u003C\u002F${dnd_cf7_uploader.drag_n_drop_upload.tag}>\n-                    \u003Cspan>${n.separator}\u003C\u002Fspan>\n-                    \u003Cdiv class=\"codedropz-btn-wrap\">\u003Ca class=\"cd-upload-btn\" href=\"#\">${n.button_text}\u003C\u002Fa>\u003C\u002Fdiv>\n+                    \u003C${dnd_cf7_uploader.drag_n_drop_upload.tag}>${r(d.text)}\u003C\u002F${dnd_cf7_uploader.drag_n_drop_upload.tag}>\n+                    \u003Cspan>${r(d.separator)}\u003C\u002Fspan>\n+                    \u003Cdiv class=\"codedropz-btn-wrap\">\u003Ca class=\"cd-upload-btn\" href=\"#\">${r(d.button_text)}\u003C\u002Fa>\u003C\u002Fdiv>","The exploit is a Stored Cross-Site Scripting (XSS) attack requiring Administrator privileges. \n\n1. The attacker logs into the WordPress dashboard as an administrator.\n2. They navigate to the plugin settings page: `\u002Fwp-admin\u002Fadmin.php?page=drag-n-drop-upload`.\n3. In the 'drag_n_drop_text' (Upload Text) or 'drag_n_drop_browse_text' (Browse Text) settings fields, the attacker enters a malicious JavaScript payload, such as `\u003Cscript>alert('XSS')\u003C\u002Fscript>`.\n4. After saving the settings, the payload is stored in the database.\n5. When any user (including other administrators or unauthenticated visitors) views a frontend page containing a Contact Form 7 form with a Drag and Drop Multiple File field, the plugin's JavaScript retrieves the malicious string and injects it directly into the DOM using a template literal, causing the script to execute.","gemini-3-flash-preview","2026-06-26 03:20:01","2026-06-26 03:21:25",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.3.9.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags"]