Vulnerability Details : CVE-2020-35489
Potential exploit
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Vulnerability category: Execute code
Products affected by CVE-2020-35489
- cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-35489
90.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-35489
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
|
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
NIST |
CWE ids for CVE-2020-35489
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-35489
-
https://contactform7.com/2020/12/17/contact-form-7-532/
Contact Form 7 5.3.2 | Contact Form 7Vendor Advisory
-
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
Unrestricted File Upload possible in Contact Form 7Third Party Advisory
-
https://wordpress.org/plugins/contact-form-7/#developers
Contact Form 7 – WordPress plugin | WordPress.orgRelease Notes;Third Party Advisory
-
https://wpscan.com/vulnerability/10508
Contact Form 7 < 5.3.2 - Unrestricted File UploadThird Party Advisory
-
https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/
Unrestricted File Upload Vulnerability in Contact Form 7Third Party Advisory
Jump to