CVE-2020-35489

Contact Form 7

on wordpress-plugin

Published

December 17, 2020

Severity

CVSS v3:

10 CRITICAL

CVSS v2:

10 HIGH

Description

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

References

https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/
https://wordpress.org/plugins/contact-form-7/#developers
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
https://contactform7.com/2020/12/17/contact-form-7-532/
https://wpscan.com/vulnerability/10508

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:rocklobster:contact_form_7::::::wordpress::*	n/a	5.3.2	*

External Links

NVD - CVE-2020-35489