CVE Catalog

CVE-2026-8991

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Summary

The Drag and Drop Multiple File Upload plugin for Contact Form 7 in WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via 'drag_n_drop_text' and 'drag_n_drop_browse_text' settings in all versions up to and including 1.3.9.7 due to insufficient input sanitization and output escaping.

Risk Assessment

Authenticated attackers with administrator-level access can inject arbitrary web scripts that will execute whenever a user accesses an injected page, posing a serious threat to user data security.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability and conduct a security audit of the application.

Original NVD description (English source)

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS