WordPress Plugin Vulnerabilities

Contact Form 7 < 5.3.2 - Unrestricted File Upload

Description

The popular WordPress plugin, Contact Form 7 was found to be vulnerable to Unrestricted File Upload.

Proof of Concept

Affects Plugins

Plugin icon
contact-form-7
Fixed in 5.3.2

References

CVE
CVE-2020-35489
URL
https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/
URL
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
URL
https://contactform7.com/2020/12/17/contact-form-7-532/#more-38314

Miscellaneous

Original Researcher
Jinson Varghese Behanan
Submitter
Jinson Varghese Behanan
Submitter website
https://www.getastra.com/
Submitter twitter
JinsonCyberSec
Verified
No
WPVDB ID
7391118e-eef5-4ff8-a8ea-f6b65f442c63

Timeline

Publicly Published
2020-12-17 (about 5 years ago)
Added
2020-12-17 (about 5 years ago)
Last Updated
2020-12-21 (about 5 years ago)

Other

Published
Title
Published
2018-12-24
Title
Baggage Freight Shipping Australia 0.1.0 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
Complete Gallery Manager 3.3.3 - Arbitrary File Upload
Published
2023-12-27
Title
WP MLM <= 4.0 - Unauthenticated Arbitrary File Upload
Published
2024-08-23
Title
Jupiter X Core < 4.6.6 - Unauthenticated Arbitrary File Upload
Published
2025-09-08
Title
Doccure < 1.5.1 - Authenticated (Subscriber+) Arbitrary File Upload