Path Traversal in Glenwpcoder Drag And Drop Multiple File Upload For Contact Form 7
CVE-2026-5710
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[]…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.000 (13.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Affected products
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/1005eb8c-da5a-4422-9d65-0f341…
- plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-f…
- plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-f…
- plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-f…
- plugins.trac.wordpress.org/changeset/3508522/drag-and-drop-multiple-file-upload…
Frequently asked questions
- What is CVE-2026-5710?
- CVE-2026-5710 is a high-severity vulnerability in Glenwpcoder Drag And Drop Multiple File Upload For Contact Form 7, classified under Path Traversal. CVSS score: 7.5/10. Published 2026-04-17.
- How severe is CVE-2026-5710?
- High severity. CVSS v3 base score is 7.5 out of 10.