Risk Score
10.0
Out of 10
Summary
Published
Dec 17, 2020
Updated
Dec 22, 2020
Source
NVD
Identifier
CVE-2020-35489
Description
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
MergeBase Comment

An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions. Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.

If you have Contact Form installed and allow any file uploads on any form, it is important to upgrade the plugin immediately. Due to the ubiquity of WordPress sites, you may be hit by drive-by automated attacks in addition to targeted attacks.

For detailed analysis see the following article https://blog.wpsec.com/contact-form-7-vulnerability/

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility and popularity.

More on Continuous Protection

Add RunTime Protection

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Run-time Protection

Shift Left Now

CodeGreen is an early-warning defence for your in-house development and integrates directly into GitHub and BitBucket

More on BitBucket and Github apps