Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 – Unauthenticated File Upload Bypass | CVE 2020-12800

Description

Due to the plugin not properly checking the file being uploaded (via the dnd_codedropz_upload AJAX action), an attacker could bypass the checks in place and upload a PHP file.

There was a working exploit provided along with this vulnerability. It also requires the Contact Form 7 plugin to be installed on the target machine.

Proof of Concept

https://github.com/amartinsec/CVE-2020-12800/blob/master/exploit.py

Affects Plugins

drag-and-drop-multiple-file-upload-contact-form-7

Fixed in 1.3.3.3

References

CVE

CVE-2020-12800

Exploitdb

48520

URL

exploit/multi/http/wp_dnd_mul_file_rce

URL

https://packetstormsecurity.com/files/#157837/

URL

https://packetstormsecurity.com/files/#157951/

URL

https://github.com/amartinsec/CVE-2020-12800

Miscellaneous

Original Researcher

Austin Martin

Verified

Yes

WPVDB ID

53e47e67-c8c9-45a9-9a9c-da52c37047bf

Timeline

Publicly Published

2020-05-26 (about 5 years ago)

Added

2020-05-26 (about 5 years ago)

Last Updated

2020-10-21 (about 5 years ago)

Other

Published

Title

Published

2018-03-02

Title

NextGEN Gallery < 2.2.50 - Galley Paths Not Secured

Published

2015-03-03

Title

Captcha <= 4.0.6 - Captcha Bypass

Published

2025-11-03

Title

WP 2FA < 3.0.0 - Second Factor Bypass

Published

2026-02-17

Title

Passster < 4.2.26 - Global Protection Bypass

Published

2024-03-29

Title

VS Contact Form < 14.8 - CAPTCHA Bypass