CVE-2020-35489

Опубликовано: 17 дек. 2020

Источник: nvd

CVSS3: 10

CVSS2: 10

EPSS Критический

Описание

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

Ссылки

https://contactform7.com/2020/12/17/contact-form-7-532/
Vendor Advisory
https://wordpress.org/plugins/contact-form-7/#developers
Release Notes
Third Party Advisory
https://wpscan.com/vulnerability/10508
Third Party Advisory
https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/
Third Party Advisory
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
Third Party Advisory
https://contactform7.com/2020/12/17/contact-form-7-532/
Vendor Advisory
https://wordpress.org/plugins/contact-form-7/#developers
Release Notes
Third Party Advisory
https://wpscan.com/vulnerability/10508
Third Party Advisory
https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/
Third Party Advisory
https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:wordpress:*:*

Версия до 5.3.2 (исключая)

EPSS

Процентиль: 100%

0.90113

Критический

10 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-j93q-24g6-27r6

github

больше 3 лет назад

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

BDU:2023-03193

CVSS3: 10

fstec

около 5 лет назад

Уязвимость плагина Contact Form 7 системы управления содержимым сайта WordPress, позволяющая нарушителю загрузить файлы произвольного типа и выполнить произвольный код

EPSS

Процентиль: 100%

0.90113

Критический

10 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-434