CVE-2026-8991 in Drag and Drop Multiple File Upload for Contact Form 7 Plugin
Summary
by MITRE • 06/06/2026
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/07/2026
The vulnerability in the Drag and Drop Multiple File Upload for Contact Form 7 plugin represents a critical stored cross-site scripting flaw that undermines the security posture of WordPress installations. This vulnerability affects all versions up to and including 1.3.9.7 and stems from inadequate input sanitization and output escaping mechanisms within the plugin's configuration settings. The specific parameters 'drag_n_drop_text' and 'drag_n_drop_browse_text' serve as attack vectors where malicious code can be persistently stored within the plugin's settings, creating a persistent threat that executes whenever affected pages are accessed by unsuspecting users.
The technical exploitation of this vulnerability requires an attacker to possess administrator-level access or higher within the WordPress environment, which aligns with the attacker access requirements defined in the attack pattern taxonomy. This privilege escalation requirement significantly reduces the attack surface but does not eliminate the risk entirely, as the vulnerability can be leveraged by compromised administrator accounts or through other means of gaining elevated privileges. The flaw manifests as a stored XSS vulnerability, where malicious scripts are permanently stored in the plugin's configuration settings and subsequently executed in the context of the victim's browser when they access pages containing the vulnerable content.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform a wide range of malicious activities including session hijacking, credential theft, and redirection to malicious sites. The stored nature of the vulnerability means that once exploited, the malicious scripts remain persistent and will execute automatically for any user who accesses the affected pages, making it particularly dangerous in multi-user environments where administrators and regular users may encounter the malicious content. This vulnerability directly corresponds to CWE-79, which defines stored cross-site scripting as a condition where malicious scripts are stored on the server and executed when users access the affected content.
Organizations using this plugin face significant risks as the vulnerability can be exploited to compromise user sessions and potentially gain further access to the WordPress installation or underlying systems. The attack surface is particularly concerning because the vulnerability affects plugin settings that are often modified by administrators without adequate security considerations. Mitigation strategies should include immediate patching to versions that address the input sanitization and output escaping deficiencies, along with implementing proper access controls and monitoring for unauthorized modifications to plugin settings. Additionally, administrators should consider implementing web application firewalls and content security policies to provide additional layers of protection against potential exploitation attempts. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, as defined by the OWASP Top Ten and other industry security standards that emphasize the need for robust sanitization mechanisms to prevent XSS attacks.