Title: vulnerability? Last modified: June 12, 2026 --- # vulnerability? * [e dev](https://wordpress.org/support/users/efishinsea/) * (@efishinsea) * [1 day, 15 hours ago](https://wordpress.org/support/topic/vulnerability-175/) * We have had an issue with a bot uploading multiple files directly to the code without submitting a form over 9000 times in the past 24 hours. I am working to mitigate this in a variety of ways, but there should be some checks added to the code to prevent upload without a form postback. * There are no form submissions for these uploads which were originally brought to our attention when the host took our site offline due to the large volume of traffic to the server. It’s from a rotating list of IPs so blocking IPs directly hasn’t worked well. Viewing 3 replies - 1 through 3 (of 3 total) * Thread Starter [e dev](https://wordpress.org/support/users/efishinsea/) * (@efishinsea) * [1 day, 13 hours ago](https://wordpress.org/support/topic/vulnerability-175/#post-18937032) * Also, I do not have ‘pdf’ as an allowed file type: * ```wp-block-code Allowed File Types: .3ds, .bw2, .dwg, .dxf, .fc2, .fc3, .jpg, .png, .ppj, .r2x, .rar, .rhx, .rvt, .skp, .zip. ``` * but can still upload pdfs. * Plugin Author [Glen Don Mongaya](https://wordpress.org/support/users/glenwpcoder/) * (@glenwpcoder) * [1 day, 11 hours ago](https://wordpress.org/support/topic/vulnerability-175/#post-18937054) * Hello [@efishinsea](https://wordpress.org/support/users/efishinsea/) , * It’s likely that the issue was caused by an injection somewhere else and not through the **form** itself. Could you please provide a screenshot or the path of the affected files where the code was added (for example, `wp-content/uploads/ wpcf7_dnd_uploads`)? * Does your hosting provider have any logs or information available that could help us trace the source of the issue or identify the specific file that introduced it? if you have any information you can send directly through my email [glenmongaya@gmail.com](https://wordpress.org/support/topic/vulnerability-175/glenmongaya@gmail.com?output_format=md)** do not** post it here. * The plugin is actively maintained and regularly reviewed by security teams, including Patchstack and Wordfence. At this time, we are not aware of any issues related to this. * Please let me know. * Thread Starter [e dev](https://wordpress.org/support/users/efishinsea/) * (@efishinsea) * [23 hours, 36 minutes ago](https://wordpress.org/support/topic/vulnerability-175/#post-18937331) * done. Viewing 3 replies - 1 through 3 (of 3 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fvulnerability-175%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/drag-and-drop-multiple-file-upload-contact-form-7/assets/ icon-128x128.jpg?rev=1984850) * [Drag and Drop Multiple File Upload for Contact Form 7](https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/) * [Frequently Asked Questions](https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#faq) * [Support Threads](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/) * [Active Topics](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/unresolved/) * [Reviews](https://wordpress.org/support/plugin/drag-and-drop-multiple-file-upload-contact-form-7/reviews/) * 4 replies * 2 participants * Last reply from: [e dev](https://wordpress.org/support/users/efishinsea/) * Last activity: [23 hours, 36 minutes ago](https://wordpress.org/support/topic/vulnerability-175/#post-18937331) * Status: not resolved