CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2020-35489

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.1190%
EPSS Percentile13.26th
Published2020年12月17日
Last Modified2024年11月21日

Vulnerability Description

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

Affected Platforms (CPE)

📦
Rocklobster

Contact Form 7

< 5.3.2

References & Advisories

🔗 https://contactform7.com/2020/12/17/contact-form-7-532/
🔗 https://wordpress.org/plugins/contact-form-7/#developers
🔗 https://wpscan.com/vulnerability/10508
🔗 https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/
🔗 https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
🔗 https://contactform7.com/2020/12/17/contact-form-7-532/
🔗 https://wordpress.org/plugins/contact-form-7/#developers
🔗 https://wpscan.com/vulnerability/10508

相關漏洞威脅

CVE-2020-103749.8

A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via...

CVE-2018-209799.8

The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_p...

CVE-2019-170729.8

The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via...

CVE-2020-128009.8

The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remo...