.. / CVE-2020-35489

Exploit for WordPress Contact Form 7 - Unrestricted File Upload (CVE-2020-35489)

Description:

WordPress Contact Form 7 before 5.3.2 allows unrestricted file upload and remote code execution because a filename may contain special characters.

Nuclei Template

View the template here CVE-2020-35489.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-35489.yaml
Copy

References:

https://web.archive.org/web/20210125141546/https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2020-35489
https://contactform7.com/2020/12/17/contact-form-7-532/
https://wordpress.org/plugins/contact-form-7/#developers
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/