How is CVE-2026-49055 exploited?

Network reachability (required): The plugin endpoint is exposed over the network, so an attacker must be able to reach the target web server from the internet or an accessible network path. Authentication (not-required): No account or credentials are needed; the attacker can trigger the vulnerable code path as an unauthenticated visitor. Victim interaction (required): A victim must interact with a crafted link or malicious input (for example, clicking a specially constructed URL or submitting a manipulated form), giving this a social-engineering component. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or unusual environmental configuration.

What is the impact of CVE-2026-49055?

An attacker can execute arbitrary JavaScript in the victim's browser session, reading stored cookies and session tokens associated with the WordPress site. Injected script can modify the visible page content the victim sees, enabling phishing or credential-harvesting within the legitimate site context. The attacker can perform authenticated actions on the victim's behalf (such as changing account settings or submitting forms) if the victim holds an active session. Impact spans confidentiality, integrity, and availability at a low-to-moderate level per the CVSS scoring, affecting the victim's session data and the integrity of page content they interact with.

Back to search

HIGHCVE-2026-49055Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49055: WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.9.7 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-49055?

A reflected or stored cross-site scripting (XSS) vulnerability affects the Drag and Drop Multiple File Upload plugin for Contact Form 7, versions 1.3.9.7 and earlier. The vulnerability is reachable over the network with no authentication required, but a victim must interact with a crafted link or form input to trigger the payload. Successful exploitation lets an attacker execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, or unwanted actions performed on the victim's behalf. No upstream fix has been published yet; HarborGuard tracks the advisory and will surface patch availability as soon as one is released.

Q: Is CVE-2026-49055 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor ships a corrected release. In the meantime, customers can apply compensating controls such as network-policy isolation or web-application firewall rules through HarborGuard's policy configuration.

Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability affects the Drag and Drop Multiple File Upload plugin for Contact Form 7, versions 1.3.9.7 and earlier. The vulnerability is reachable over the network with no authentication required, but a victim must interact with a crafted link or form input to trigger the payload. Successful exploitation lets an attacker execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, or unwanted actions performed on the victim's behalf. No upstream fix has been published yet; HarborGuard tracks the advisory and will surface patch availability as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle this plugin. Any image containing an affected version of Drag and Drop Multiple File Upload <= 1.3.9.7 is flagged automatically.

Available

Triage

HarborGuard scores this issue at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within the customer org based on configured ownership rules for WordPress-related workloads.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor ships a corrected release. In the meantime, customers can apply compensating controls such as network-policy isolation or web-application firewall rules through HarborGuard's policy configuration.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to reach the target web server from the internet or an accessible network path.
AuthenticationNot required
No account or credentials are needed; the attacker can trigger the vulnerable code path as an unauthenticated visitor.
Victim interactionRequired
A victim must interact with a crafted link or malicious input (for example, clicking a specially constructed URL or submitting a manipulated form), giving this a social-engineering component.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or unusual environmental configuration.

Blast Radius

An attacker can execute arbitrary JavaScript in the victim's browser session, reading stored cookies and session tokens associated with the WordPress site.
Injected script can modify the visible page content the victim sees, enabling phishing or credential-harvesting within the legitimate site context.
The attacker can perform authenticated actions on the victim's behalf (such as changing account settings or submitting forms) if the victim holds an active session.
Impact spans confidentiality, integrity, and availability at a low-to-moderate level per the CVSS scoring, affecting the victim's session data and the integrity of page content they interact with.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of Drag and Drop Multiple File Upload exists at this time, HarborGuard continuously monitors the advisory across ingest cycles and will surface a patched-image rebuild the moment the vendor publishes a fix. For environments with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will be triggered automatically at that point. While the fix is pending, customers are encouraged to evaluate compensating controls such as restricting access to the affected upload endpoint via network policy, enabling a web-application firewall rule targeting XSS payloads in file-upload fields, or temporarily disabling the plugin in workloads where its use is non-essential. HarborGuard's policy configuration supports each of these approaches through environment-level controls.

See how HarborGuard automates this

Affected packages

Glen Don Mongaya / Drag and Drop Multiple File Upload – Contact Form 7
≤ 1.3.9.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified