Vulnerability Database

Search the MergeBase vulnerability database for information on known vulnerabilities in open-source components.

Risk Score
risk image
10
Out of 10
Summary
CWEs
CWE-434
Published
2020-12-17
Updated
2020-12-22
Source
NVD
Identifier

CVE-2020-35489

Description
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
MergeBase Comment

An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.

If you have Contact Form installed and allow any file uploads on any form, it is important to upgrade the plugin immediately. Due to the ubiquity of WordPress sites, you may be hit by drive-by automated attacks in addition to targeted attacks.

For detailed analysis see the following article here.
Common Weakness Enumeration (CWE)
link icon
CWE-434
Unrestricted Upload of File with Dangerous Type

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility, and popularity.

More on Continuous Protection

Add Dynamic Application Surveillance and Hardening

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Runtime

Shift Left Now

MergeBase directly integrates with Github and Bitbucket to provide an early warning system for your in-house development

Product Overview