CVE-2020-35489
high-risk
Published 2020-12-17
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Do I need to act?
!
90.3% chance of exploitation in next 30 days
EPSS score — higher than 10% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: ab6e1a2c7fd4b4c2e351d43b9dc4faa8c1bc8bf9
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (10)
Vendor Advisory
https://contactform7.com/2020/12/17/contact-form-7-532/
Release Notes
https://wordpress.org/plugins/contact-form-7/#developers
Third Party Advisory
https://wpscan.com/vulnerability/10508
Third Party Advisory
https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-fil...
Third Party Advisory
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
Vendor Advisory
https://contactform7.com/2020/12/17/contact-form-7-532/
Release Notes
https://wordpress.org/plugins/contact-form-7/#developers
Third Party Advisory
https://wpscan.com/vulnerability/10508
Third Party Advisory
https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-fil...
Third Party Advisory
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
58
/ 100
high-risk
Severity
33/34 · Critical
Exploitability
20/34 · Moderate
Exposure
5/34 · Minimal