CVE-2026-8991: Stored XSS in Drag and Drop Multiple File Upload for Contact Form 7 Plugin
A WordPress plugin called 'Drag and Drop Multiple File Upload for Contact Form 7' contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.3.9.7. An attacker with administrator access can inject malicious scripts into the plugin's settings, which will then execute in the browsers of any user who views the affected pages. This is a privilege-escalation risk that exploits insufficient input validation on two specific settings fields.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the 'drag_n_drop_text' and 'drag_n_drop_browse_text' configuration parameters within the plugin. These fields fail to properly sanitize user input before storage and do not escape output when rendered on the front end, enabling stored XSS injection. The attack vector requires network access and high-privilege credentials (administrator level or above), but does not require user interaction to execute the injected payload once stored. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Business impact
A compromised administrator account could deface contact forms, inject credential-harvesting scripts, or distribute malware to all site visitors interacting with affected forms. This undermines trust in the website and could facilitate data theft from end users. The impact is amplified on high-traffic sites where the form is frequently accessed. Organizations relying on contact forms for customer communication face potential reputation damage and regulatory exposure if user data is exfiltrated.
Affected systems
The Drag and Drop Multiple File Upload for Contact Form 7 plugin is affected in all versions up to and including 1.3.9.7. Sites running this plugin are at risk if administrator credentials have been compromised, or if administrative users are socially engineered or coerced into accepting malicious settings changes. The plugin's presence in a WordPress installation does not automatically trigger the vulnerability; an authenticated attacker with high privileges must actively inject the payload.
Exploitability
Exploitation requires authenticated access with administrator-level privileges, which significantly limits the attack surface compared to unauthenticated exploits. The CVSS score of 4.4 (Medium) reflects this constraint. An attacker cannot exploit the vulnerability through a remote, unauthenticated vector; however, once injected, the payload persists and executes automatically for all site visitors. This makes it particularly dangerous in scenarios where administrative accounts are compromised via credential theft, phishing, or supply-chain compromise.
Remediation
Update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version newer than 1.3.9.7 that includes proper input sanitization and output escaping for the affected settings fields. Organizations should also review recent changes to plugin settings and check administrator activity logs for unauthorized modifications. Reset administrator credentials if compromise is suspected, and consider implementing role-based restrictions to limit which users can modify critical plugin settings.
Patch guidance
WordPress administrators should navigate to their plugins dashboard, locate 'Drag and Drop Multiple File Upload for Contact Form 7,' and check for available updates beyond version 1.3.9.7. Apply the patch immediately upon availability. Before updating, ensure backups of the site database and configuration are in place. Test the update in a staging environment if possible to verify compatibility with custom configurations. After patching, verify that the 'drag_n_drop_text' and 'drag_n_drop_browse_text' fields render correctly and no stored scripts persist from prior injection attempts.
Detection guidance
Review plugin settings and administrator modification logs for suspicious changes to the 'drag_n_drop_text' or 'drag_n_drop_browse_text' fields, particularly any entries containing HTML tags, script tags, or JavaScript event handlers. Use WordPress security plugins or database queries to search the options table for script-like content in these fields. Monitor browser developer consoles on pages displaying the contact form for unexpected script execution. Enable and review WordPress security audit logs to identify unauthorized administrator account activity around the time of suspected injection.
Why prioritize this
Although the CVSS score is Medium (4.4), this vulnerability should be prioritized for patching because: (1) stored XSS enables persistent attacks affecting all users of the site; (2) it targets a commonly-used form plugin, expanding potential reach; (3) exploitation indicators may be difficult to detect without active monitoring; (4) the attack persists until remediated, creating a prolonged exposure window. Organizations with high-value contact forms or those handling sensitive customer data should prioritize this patch within their standard update cycle.
Risk score, explained
The CVSS 3.1 score of 4.4 (Medium) is driven by the attack vector requiring high privileges (PR:H), no user interaction needed to execute stored payload (UI:N), complex access conditions (AC:H), and limited scope of impact (CIA:L for Confidentiality and Integrity, none for Availability). The score appropriately reflects that while exploitation is constrained by authentication requirements, the persistent nature of stored XSS and its affect on multiple users elevates the practical risk beyond a simple Low classification.
Frequently asked questions
Does this vulnerability affect all Contact Form 7 users, or only those using the Drag and Drop add-on?
Only sites using the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin are affected. The core Contact Form 7 plugin itself is not vulnerable to this particular stored XSS issue. Sites using Contact Form 7 without this add-on are not at risk from this vulnerability.
If our WordPress administrator account hasn't been compromised, are we still at risk?
This vulnerability requires an authenticated attacker with administrator credentials, so if your admin accounts are secure and your site has not been breached, your immediate risk is low. However, you should still apply the patch as a precautionary measure and to reduce the window of vulnerability in case credentials are later compromised through other means (such as phishing or password reuse).
How can I tell if this vulnerability has already been exploited on my site?
Check the plugin settings for the 'drag_n_drop_text' and 'drag_n_drop_browse_text' fields for any unusual content containing HTML, script tags, or event handlers. Review WordPress administrator account logs and activity history for unauthorized changes to plugin settings. Scan your site with a security scanner that detects stored XSS payloads. If you suspect compromise, also review your user activity logs for any suspicious logins or actions.
Do we need to take any action beyond patching the plugin?
After patching, verify that no malicious content remains stored in the affected settings fields and reset administrator passwords if there is any sign of account compromise. Consider auditing recent administrator actions and enabling additional logging for plugin and settings modifications. If your site serves sensitive data, run a full security scan post-patch to ensure no other vulnerabilities were introduced during the compromise window.
This analysis is provided for informational purposes and is based on the vulnerability data available as of the publish date. Organizations should verify all patch versions and availability against official vendor advisories before deploying updates. CVSS scores and risk assessments are provided as general guidance and should be contextualized within each organization's unique threat model and asset inventory. Always test patches in non-production environments before broad deployment. SEC.co does not provide liability for decisions made based on this analysis, and users remain responsible for their security posture and incident response. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1