CVE-2026-8991
MediumCVSS 4.4Summary
The Drag and Drop Multiple File Upload plugin for Contact Form 7 in WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via 'drag_n_drop_text' and 'drag_n_drop_browse_text' settings in all versions up to and including 1.3.9.7 due to insufficient input sanitization and output escaping.
Risk Assessment
Authenticated attackers with administrator-level access can inject arbitrary web scripts that will execute whenever a user accesses an injected page, posing a serious threat to user data security.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and conduct a security audit of the application.
Original NVD description (English source)
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

