Title: Critical security problems
Last modified: March 2, 2026

---

# Critical security problems

 *  [webcoderswpo](https://wordpress.org/support/users/webcoderswpo/)
 * (@webcoderswpo)
 * [1 month, 1 week ago](https://wordpress.org/support/topic/critical-security-problems-2/)
 * We have identified critical security problems related to your plugin’s file upload
   handling and cron-based file deletion.
 * 
   1. Publicly accessible uploaded files• Uploaded files are stored in the standard
   wp-content/uploads  directory (and a predictable subdirectory) and are publicly
   accessible without any protection.• The plugin only adds a hashed subdirectory
   when the user has a valid  wpcf7_guest_user_id  cookie.• If this cookie is not
   present, files are placed in a non‑hashed, predictable location and remain directly
   accessible by URL under their original filenames. This creates a serious information
   disclosure risk.
 * 2. Cron event for daily cleanup not scheduled
   • The daily cron event for removing
   old uploaded files is not registered at all, even though file auto‑deletion is
   enabled in the plugin settings.• As a result, uploaded files accumulate indefinitely
   and remain publicly accessible.• I have checked the cron list, and there is no
   event from your plugin responsible for deleting these files.
 * 
   3. Environment details• WordPress: latest stable version• Plugin: latest available
   version from the official source• PHP: supported and recommended version for 
   current WordPressExpected behavior• Uploaded files should never be publicly accessible
   in a predictable location without protection (for example, they should always
   be stored in a hashed/non‑guessable path, regardless of cookies, or blocked via
   access rules).• The daily cron event for cleaning old files should be reliably
   scheduled and executed whenever the auto‑delete option is enabled.

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Plugin Author [Glen Don Mongaya](https://wordpress.org/support/users/glenwpcoder/)
 * (@glenwpcoder)
 * [1 month, 1 week ago](https://wordpress.org/support/topic/critical-security-problems-2/#post-18838380)
 * Hello [@webcoderswpo](https://wordpress.org/support/users/webcoderswpo/) ,
 * Thanks for reaching and for the detailed explanation.
 * I made a changes and moving from cookie to another solution
   Can you try this 
   version [https://drive.google.com/file/d/10wLawMYKXb-nHFPmj8MwZRtkpfkxZcaf/view?usp=sharing](https://drive.google.com/file/d/10wLawMYKXb-nHFPmj8MwZRtkpfkxZcaf/view?usp=sharing)
   and let me know how it goes.
 * And for the cron I scheduled it to run hourly name “dnd_cf7_daily_event”.
 * Please let me know, thank for your help.
 * Glen
 *  [John Doe](https://wordpress.org/support/users/heartbreakkid58/)
 * (@heartbreakkid58)
 * [3 weeks, 5 days ago](https://wordpress.org/support/topic/critical-security-problems-2/#post-18854714)
 * Hi [@glenwpcoder](https://wordpress.org/support/users/glenwpcoder/) , my FlyWheel
   hosting’s malware scanner detected a security issue with the plugin. It says:
   `
   Security Vulnerability: drag-and-drop-multiple-file-upload-contact-form-7Fixed
   in version: 1.3.8.8I’m on the Latest 1.3.9.6 version. Do you think should I also
   use the same version that you’ve shared above in the comment. Thank you.
 *  Plugin Author [Glen Don Mongaya](https://wordpress.org/support/users/glenwpcoder/)
 * (@glenwpcoder)
 * [3 weeks, 4 days ago](https://wordpress.org/support/topic/critical-security-problems-2/#post-18855018)
 * [@heartbreakkid58](https://wordpress.org/support/users/heartbreakkid58/) we have
   already released that version, make sure your plugin is updated to version 1.3.9.6.
 * Thanks for letting me know.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fcritical-security-problems-2%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/drag-and-drop-multiple-file-upload-contact-form-7/assets/
   icon-128x128.jpg?rev=1984850)
 * [Drag and Drop Multiple File Upload for Contact Form 7](https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/)
 * [Active Topics](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/reviews/)

 * 4 replies
 * 3 participants
 * Last reply from: [Glen Don Mongaya](https://wordpress.org/support/users/glenwpcoder/)
 * Last activity: [3 weeks, 4 days ago](https://wordpress.org/support/topic/critical-security-problems-2/#post-18855018)
 * Status: not resolved