CVE-2026-5710
Path Traversal in Contact Form 7 Plugin Enables Arbitrary File Read
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpbeaverbuilder | drag_and_drop_multiple_file_upload_for_contact_form_7 | to 1.3.9.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to read and exfiltrate arbitrary files readable by the web server process via path traversal sequences. This could lead to unauthorized disclosure of sensitive information.
Such unauthorized data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.
However, the provided information does not explicitly detail the specific compliance implications or affected data types.
Can you explain this vulnerability to me?
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress has a vulnerability called Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6.
This happens because the plugin uses client-supplied mfile[] POST values to select email attachments without checking if the files were actually uploaded by the server, without sanitizing the file paths, and without enforcing directory boundaries.
Specifically, user-submitted filenames are appended directly to the plugin's upload URL without sanitization, and then converted back to filesystem paths with minimal checks before attaching the files to outgoing emails.
As a result, unauthenticated attackers can exploit path traversal sequences in the mfile[] parameter to read and exfiltrate arbitrary files readable by the web server process, with those files being disclosed as email attachments.
This vulnerability is limited to files within the 'wp-content' folder due to a function in the Contact Form 7 plugin that restricts file paths.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to read and exfiltrate arbitrary files from the web server that are readable by the server process.
Attackers can obtain sensitive information stored in files within the 'wp-content' directory by tricking the plugin into attaching those files to outgoing emails.
Such unauthorized file disclosure can lead to information leakage, potentially exposing configuration files, credentials, or other sensitive data.