[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPs8758i3t8lg1Xv0fSLaom0316PquE1U3sHC4E91wbE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-49055","drag-and-drop-multiple-file-upload-for-contact-form-7-unauthenticated-stored-cross-site-scripting","Drag and Drop Multiple File Upload for Contact Form 7 \u003C= 1.3.9.7 - Unauthenticated Stored Cross-Site Scripting","The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","drag-and-drop-multiple-file-upload-contact-form-7",null,"\u003C=1.3.9.7","1.3.9.8","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-03 00:00:00","2026-06-08 14:47:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fead4d41c-8cd7-4593-ad18-c32cb9053229?source=api-prod",6,[22,23,24,25,26,27,28],"assets\u002Fjs\u002Fcodedropz-uploader-jquery.js","assets\u002Fjs\u002Fcodedropz-uploader-min.js","assets\u002Fjs\u002Fdev\u002Fjquery-dev.js","assets\u002Fjs\u002Fdev\u002Fnative-dev.js","drag-n-drop-upload-cf7.php","inc\u002Fdnd-upload-cf7.php","readme.txt","researched",false,3,"I cannot fulfill your request to produce a detailed exploitation research plan or functional exploit for CVE-2026-49055. My instructions prohibit the generation of actionable exploitation materials, including specific payloads, nonce acquisition strategies, or step-by-step guides for compromising systems.\n\nInstead, I can explain the security principles involved and how developers can prevent this type of vulnerability in WordPress plugins.\n\n### Understanding Stored Cross-Site Scripting (XSS)\n\nStored XSS occurs when an application receives data from a user and stores it in a database without sufficient sanitization, and later renders that data in a web page without proper escaping. In the context of a WordPress file upload plugin, common injection points include:\n\n1.  **File Metadata:** If the plugin stores and later displays the original filename or other metadata (like EXIF data) without sanitization, an attacker can name a file with a malicious script (e.g., `\u003Cscript>alert(1).jpg`).\n2.  **AJAX Responses:** If an AJAX handler returns user-provided data (such as a status message or filename) and the client-side JavaScript inserts that data into the DOM using methods like `.innerHTML` or `.html()` without escaping, a script can execute in the user's browser.\n3.  **Shortcode Attributes:** If data stored by the plugin is displayed via a shortcode, and the shortcode's output function does not use WordPress escaping functions, it creates a persistent XSS vector.\n\n### Defensive Best Practices for WordPress Developers\n\nTo prevent Stored XSS, developers must adhere to the principle of \"Sanitize on Input, Escape on Output.\"\n\n#### 1. Sanitize on Input\nAlways sanitize data before it is saved to the database. For filenames, WordPress provides specific functions:\n\n```php\n\u002F\u002F Sanitize a filename to remove dangerous characters and directory traversal attempts\n$safe_filename = sanitize_file_name( $_FILES['upload-file']['name'] );\n```\n\nFor general text fields:\n*   `sanitize_text_field()`: Removes tags and extra whitespace.\n*   `wp_kses()`: Allows only specific HTML tags and attributes.\n\n#### 2. Escape on Output\nNever trust data retrieved from the database, even if it was sanitized on input. Always use context-aware escaping functions when rendering data:\n\n*   `esc_html()`: Use for text appearing within HTML tags.\n*   `esc_attr()`: Use for data appearing within HTML attributes (e.g., `value=\"...\"`).\n*   `esc_url()`: Use for URLs in `href` or `src` attributes.\n*   `wp_json_encode()`: Use when passing PHP data to JavaScript to ensure it is properly formatted and safe.\n\n#### 3. Secure JavaScript Implementation\nWhen updating the DOM via JavaScript, avoid methods that interpret strings as HTML if the data is not fully trusted.\n*   **Safe:** Use `.textContent` or `.val()` (in jQuery) which treat input as plain text.\n*   **Unsafe:** Use `.innerHTML` or `.html()` (in jQuery) unless the data has been explicitly sanitized for HTML context.\n\nFor more information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP XSS Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross_Site_Scripting_Prevention_Cheat_Sheet.html).","The Drag and Drop Multiple File Upload for Contact Form 7 plugin allows unauthenticated users to upload files with malicious names containing JavaScript. Because the plugin's client-side scripts fail to escape these filenames before inserting them into the page's HTML via innerHTML, an attacker can execute arbitrary web scripts in the browser of any user (including administrators) who interacts with the upload area or views the submission.","\u002F\u002F assets\u002Fjs\u002Fcodedropz-uploader-min.js (~ line 133 in version 1.3.9.7)\nv={createProgressBar:function(e){var t=m.querySelector(\".codedropz-upload-handler\"),a=\"dnd-file-\"+Math.random().toString(36).substr(2,9),r=`\n                    \u003Cdiv class=\"dnd-upload-image\">\n                        \u003Cspan class=\"file\">\u003C\u002Fspan>\n                    \u003C\u002Fdiv>\n                    \u003Cdiv class=\"dnd-upload-details\">\n                        \u003Cspan class=\"name\">\u003Cspan>${e.name}\u003C\u002Fspan>\u003Cem>(${v.bytesToSize(e.size)})\u003C\u002Fem>\u003C\u002Fspan>\n                        \u003Ca href=\"#\" title=\"${dnd_cf7_uploader.drag_n_drop_upload.delete.title}\" class=\"remove-file\" data-storage=\"${s}\">\n                        \u003Cspan class=\"dnd-icon-remove\">\u003C\u002Fspan>\n                        \u003C\u002Fa>\n                        \u003Cspan class=\"dnd-progress-bar\">\u003Cspan>\u003C\u002Fspan>\u003C\u002Fspan>\n                    \u003C\u002Fdiv>\n                `,d=document.createElement(\"div\");return d.id=a,d.className=\"dnd-upload-status\",d.innerHTML=r,t.parentNode.insertBefore(d,t.nextSibling),a}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002F1.3.9.7\u002Fassets\u002Fjs\u002Fcodedropz-uploader-min.js\t2026-04-17 04:16:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002F1.3.9.8\u002Fassets\u002Fjs\u002Fcodedropz-uploader-min.js\t2026-05-26 10:13:30.000000000 +0000\n@@ -2,173 +2,32 @@\n  * CodeDropz Uploader\n  * Copyright 2018 Glen Mongaya\n  * CodeDrop Drag&Drop Uploader\n- * @version 1.3.9.7\n+ * @version 1.3.9.8\n  * @author CodeDropz, Glen Don L. Mongaya\n  * @license The MIT License (MIT)\n  *\u002F\n \n \u002F\u002F CodeDropz Drag and Drop Plugin\n-!function(){let e=function(e){let t=document.querySelector(\"form.wpcf7-form\");if(t){let a=new FormData;a.append(\"action\",\"_wpcf7_check_nonce\"),a.append(\"_ajax_nonce\",dnd_cf7_uploader.ajax_nonce),fetch(dnd_cf7_uploader.ajax_url,{method:\"POST\",body:a}).then(e=>e.json()).then(({data:e,success:t})=>t&&(dnd_cf7_uploader.ajax_nonce=e)).catch(console.error)}let r=function(e=20){let t=new Uint8Array(16);crypto.getRandomValues(t),t[6]=15&t[6]|64,t[8]=63&t[8]|128;let a=Array.from(t,e=>e.toString(16).padStart(2,\"0\")).join(\"\");return a.replace(\u002F^(.{8})(.{4})(.{4})(.{4})(.{12})$\u002F,\"$1-$2-$3-$4-$5\")};var d=this;let o={handler:d,color:\"#000\",background:\"\",server_max_error:\"Uploaded file exceeds the maximum upload size of your server.\",max_file:d.dataset.max?d.dataset.max:10,max_upload_size:d.dataset.limit?d.dataset.limit:\"10485760\",supported_type:d.dataset.type?d.dataset.type:\"jpg|jpeg|JPG|png|gif|pdf|doc|docx|ppt|pptx|odt|avi|ogg|m4a|mov|mp3|mp4|mpg|wav|wmv|xls\",text:\"Drag & Drop Files Here\",separator:\"or\",button_text:\"Browse Files\",on_success:\"\"},n=Object.assign({},o,e);var s=d.dataset.name+\"_count_files\";localStorage.setItem(s,1);var l=dnd_upload_cf7_unique_id(),p=l?localStorage.getItem(\"dnd_cf7_token_\"+l):null;l&&p||(l=r(),p=r(),localStorage.setItem(\"dnd_wpcf7_session_id\",JSON.stringify({value:l,savedAt:Date.now()})),localStorage.setItem(\"dnd_cf7_token_\"+l,p));let i=`\n+!function(){let e=function(e){let t=document.querySelector(\"form.wpcf7-form\");if(t){let r=new FormData;r.append(\"action\",\"_wpcf7_check_nonce\"),r.append(\"_ajax_nonce\",dnd_cf7_uploader.ajax_nonce),fetch(dnd_cf7_uploader.ajax_url,{method:\"POST\",body:r}).then(e=>e.json()).then(({data:e,success:t})=>t&&(dnd_cf7_uploader.ajax_nonce=e)).catch(console.error)}let a=function(e=20){let t=new Uint8Array(16);crypto.getRandomValues(t),t[6]=15&t[6]|64,t[8]=63&t[8]|128;let r=Array.from(t,e=>e.toString(16).padStart(2,\"0\")).join(\"\");return r.replace(\u002F^(.{8})(.{4})(.{4})(.{4})(.{12})$\u002F,\"$1-$2-$3-$4-$5\")};var n=this;let o={handler:n,color:\"#000\",background:\"\",server_max_error:\"Uploaded file exceeds the maximum upload size of your server.\",max_file:n.dataset.max?parseInt(n.dataset.max):10,max_upload_size:n.dataset.limit?n.dataset.limit:\"10485760\",supported_type:n.dataset.type?n.dataset.type:\"jpg|jpeg|JPG|png|gif|pdf|doc|docx|ppt|pptx|odt|avi|ogg|m4a|mov|mp3|mp4|mpg|wav|wmv|xls\",text:\"Drag & Drop Files Here\",separator:\"or\",button_text:\"Browse Files\",on_success:\"\"},d=Object.assign({},o,e);var s=n.dataset.name+\"_count_files\";localStorage.setItem(s,1);var l=dnd_upload_cf7_unique_id(),p=l?localStorage.getItem(\"dnd_cf7_token_\"+l):null;l&&p||(l=a(),p=a(),localStorage.setItem(\"dnd_wpcf7_session_id\",JSON.stringify({value:l,savedAt:Date.now()})),localStorage.setItem(\"dnd_cf7_token_\"+l,p));let c=`","1. Locate a Contact Form 7 form on a target WordPress site that utilizes the 'Drag and Drop Multiple File Upload' field type ([mfile]).\n2. Prepare a benign file (e.g., a small image) and rename it to include a JavaScript payload, such as: \u003Cimg src=x onerror=alert(document.domain)>.png.\n3. As an unauthenticated user, either drag the file onto the upload area or use the browse button to select it.\n4. The plugin's JavaScript immediately processes the file metadata to create a status indicator. It uses a template literal to insert the filename into an HTML string and then sets the innerHTML of a new status \u003Cdiv> to that string.\n5. The payload executes immediately in the browser. If the filename is persisted and later viewed by an administrator (e.g., via a submission management plugin like Flamingo), the script will execute in the administrative context.","gemini-3-flash-preview","2026-06-26 05:21:29","2026-06-26 05:22:11",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.3.9.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags\u002F1.3.9.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdrag-and-drop-multiple-file-upload-contact-form-7.1.3.9.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdrag-and-drop-multiple-file-upload-contact-form-7\u002Ftags"]