CVE-2026-8991 Overview
CVE-2026-8991 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. The flaw affects all versions up to and including 1.3.9.7. The plugin fails to properly sanitize input and escape output for the drag_n_drop_text and drag_n_drop_browse_text settings. Authenticated attackers with administrator-level access can inject arbitrary JavaScript that executes when other users visit affected pages. The vulnerability primarily enables persistence and cross-tenant abuse in multi-administrator or multisite WordPress environments.
Critical Impact
Stored JavaScript payloads execute in the browser of any user viewing a page rendered with the malicious plugin settings, enabling session theft, admin account takeover, and persistent backdoor injection across WordPress sites.
Affected Products
- Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress (all versions ≤ 1.3.9.7)
- WordPress sites using the drag_n_drop_text setting
- WordPress sites using the drag_n_drop_browse_text setting
Discovery Timeline
- 2026-06-06 - CVE-2026-8991 published to the National Vulnerability Database
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-8991
Vulnerability Analysis
The vulnerability resides in how the plugin handles two configurable plugin settings: drag_n_drop_text and drag_n_drop_browse_text. These settings define the user-visible text shown in the file upload widget on front-end Contact Form 7 forms. The plugin reads these values from its options storage and emits them directly into the rendered HTML through inc/dnd-upload-cf7.php and the codedropz-uploader-min.js script.
Because the plugin neither sanitizes the values on storage nor escapes them on output, an administrator with access to the plugin settings page can inject HTML and JavaScript. Once stored, the payload executes in the browser of every visitor who loads a page containing the form. The vulnerability is classified as Stored XSS rather than Reflected because the malicious payload is persisted server-side in the WordPress options table.
Root Cause
The root cause is missing input validation on settings write and missing output escaping on render. The PHP rendering paths at line 587 and line 1445 of dnd-upload-cf7.php insert the configured strings into HTML attributes and JavaScript context without functions such as esc_attr(), esc_html(), or wp_kses(). The JavaScript uploader in codedropz-uploader-min.js further consumes these values and writes them into the DOM without escaping.
Attack Vector
An attacker must first obtain administrator-level credentials, either through credential compromise or by abusing a separate privilege escalation. The attacker then navigates to the plugin configuration page and stores a JavaScript payload in either the drag_n_drop_text or drag_n_drop_browse_text field. When any visitor loads a public page that renders a Contact Form 7 form with the drag-and-drop uploader, the injected script executes in that visitor's session. Typical objectives include hijacking other administrator sessions, performing CSRF actions against wp-admin, and planting persistent backdoors via theme or plugin editor APIs.
No verified public exploit code is available for CVE-2026-8991. See the Wordfence Vulnerability Report and the WordPress Plugin Change Log for vendor-side technical details.
Detection Methods for CVE-2026-8991
Indicators of Compromise
- Unexpected HTML tags such as <script>, <img onerror=...>, or <svg> stored in the wp_options rows that back the plugin's settings, especially keys associated with drag_n_drop_text and drag_n_drop_browse_text.
- Outbound requests from visitor browsers to unfamiliar domains immediately after loading pages that render Contact Form 7 with the drag-and-drop uploader.
- New or modified administrator accounts, plugin files, or theme files created shortly after a plugin settings update event.
Detection Strategies
- Query the WordPress database for plugin option values containing HTML control characters: SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%<script%' OR option_value LIKE '%onerror=%'.
- Compare current plugin file hashes against the official 1.3.9.8 (or later patched) release to confirm integrity.
- Review WordPress audit logs for update_option calls targeting drag-and-drop plugin settings from non-routine administrator accounts.
Monitoring Recommendations
- Monitor wp-admin activity for unusual administrator logins, particularly from new IP addresses or geolocations.
- Alert on any modification to plugin options containing the strings drag_n_drop_text or drag_n_drop_browse_text.
- Inspect web server access logs for repeated requests to pages embedding Contact Form 7 forms paired with suspicious referrers or anomalous user agents.
How to Mitigate CVE-2026-8991
Immediate Actions Required
- Update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version newer than 1.3.9.7 as soon as the vendor publishes a patched release.
- Audit all WordPress administrator accounts, rotate passwords, and enforce multi-factor authentication on every admin role.
- Review the current values of the drag_n_drop_text and drag_n_drop_browse_text settings and reset them to safe defaults if any HTML or script content is present.
Patch Information
Review the WordPress Plugin Change Log and the Wordfence Vulnerability Report for the official fixed version and remediation details. The vulnerable code paths are documented at WordPress DND Upload PHP Line 587 and WordPress DND Upload PHP Line 1445.
Workarounds
- Restrict the WordPress administrator role to a small, trusted set of users and remove unnecessary administrator accounts.
- Deploy a web application firewall rule that blocks <script>, onerror, and similar HTML payloads in POST bodies targeting plugin settings endpoints.
- Apply a Content Security Policy (CSP) that disallows inline scripts to reduce the impact of stored XSS payloads until the plugin is patched.
# Example CSP header in an Apache .htaccess to limit inline script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
