CVE-2026-49055

Vulnerability

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress versions 1.3.9.7 and earlier fails to sanitize file upload inputs, leading to an unauthenticated stored Cross-Site Scripting (XSS) vulnerability [1]. Attackers can upload malicious files that, when accessed, execute injected scripts in the context of the visitor's browser.

Exploitation

An unauthenticated attacker can upload a specially crafted file via the plugin's file upload field without any authentication. However, successful exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a link or visiting a page that triggers the uploaded payload [1]. This user interaction is necessary for the XSS to execute.

Impact

A successful attack allows the attacker to inject arbitrary HTML and JavaScript into the website, which executes when other users visit the affected page. This can lead to redirects, advertisements, data theft, or other malicious actions within the victim's session [1]. The CVSS score is 7.1 (High).

Mitigation

Update to version 1.3.9.8 or later immediately [1]. If immediate update is not possible, apply a virtual patch or mitigation rule (e.g., via Patchstack). The vulnerability is expected to be actively exploited in mass campaigns [1].