ID CVE-2020-35489 Type cve Reporter cve@mitre.org Modified 2020-12-22T12:57:00
Description
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
{"id": "CVE-2020-35489", "bulletinFamily": "NVD", "title": "CVE-2020-35489", "description": "The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.", "published": "2020-12-17T19:15:00", "modified": "2020-12-22T12:57:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35489", "reporter": "cve@mitre.org", "references": ["https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/", "https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/", "https://wordpress.org/plugins/contact-form-7/#developers", "https://wpscan.com/vulnerability/10508", "https://contactform7.com/2020/12/17/contact-form-7-532/"], "cvelist": ["CVE-2020-35489"], "type": "cve", "lastseen": "2020-12-23T13:51:57", "edition": 2, "viewCount": 30, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:10508"]}, {"type": "threatpost", "idList": ["THREATPOST:0E15C66722D04D8B54AE59F8976CEDAF"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10508"]}], "modified": "2020-12-23T13:51:57", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2020-12-23T13:51:57", "rev": 2}, "twitter": {"counter": 32, "tweets": [{"link": "https://twitter.com/ToolsWatch/status/1343628419813298178", "text": "Contact-form-7 plugin before 5.3.2 for /WordPress allows Unrestricted File Upload and remote code execution (CVE-2020-35489). PoC in the Wild !\n!!! This Vulnerability affects 5M+ websites !!!\nTagged as T1574.010 & CWE-1350 /CweCapec\n/hashtag/FixNow?src=hashtag_click /hashtag/CISO?src=hashtag_click /hashtag/DevOps?src=hashtag_click"}, {"link": "https://twitter.com/vFeed_IO/status/1343628273562120195", "text": "Contact-form-7 plugin before 5.3.2 for /WordPress allows Unrestricted File Upload and remote code execution (CVE-2020-35489). \n!!! This Vulnerability affects 5M+ websites !!!\nTagged as T1574.010 & CWE-1350 /CweCapec\n/hashtag/FixNow?src=hashtag_click /hashtag/CISO?src=hashtag_click /hashtag/DevOps?src=hashtag_click"}, {"link": "https://twitter.com/_Bugbountytips_/status/1343866503981096961", "text": "RT /CBoy219: RT /WPSecScanner: Write-up about the new Contact Form 7 upload RCE vulnerability by our security researcher Eshaan. CVE-2020-35489 affecting 5M+ websites https://t.co/ss6ZNcyODQ?amp=1\u2026\n\n/hashtag/bugbounty?src=hashtag_click /hashtag/WordPress?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/PHP?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click /hashtag/bugbounty?src=hashtag_clicktip /hashtag/bugbounty?src=hashtag_clicktips\n\nThe\u2026"}, {"link": "https://twitter.com/infosecsanyam/status/1344192895344140288", "text": "RT /TweetersFinest: RT /WPSecScanner: Write-up about the new Contact Form 7 upload RCE vulnerability by our security researcher Eshaan. CVE-2020-35489 affecting 5M+ websites https://t.co/450Grm9uZG?amp=1\n/hashtag/bugbounty?src=hashtag_click /hashtag/WordPress?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/PHP?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click /hashtag/bugbounty?src=hashtag_clicktip /hashtag/bugbounty?src=hashtag_clicktips"}, {"link": "https://twitter.com/infosecsanyam/status/1344192896635981826", "text": "RT /5fec93919a544d3: RT /WPSecScanner: Write-up about the new Contact Form 7 upload RCE vulnerability by our security researcher Eshaan. CVE-2020-35489 affecting 5M+ websites https://t.co/450Grm9uZG?amp=1\n/hashtag/bugbounty?src=hashtag_click /hashtag/WordPress?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/PHP?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click /hashtag/bugbounty?src=hashtag_clicktip /hashtag/bugbounty?src=hashtag_clicktips"}, {"link": "https://twitter.com/infosecsanyam/status/1345295125828792320", "text": "RT /SakethNannaka: RT /WPSecScanner: Write-up about the new Contact Form 7 upload RCE vulnerability by our security researcher Eshaan. CVE-2020-35489 affecting 5M+ websites https://t.co/450Grm9uZG?amp=1\n/hashtag/bugbounty?src=hashtag_click /hashtag/WordPress?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/PHP?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click /hashtag/bugbounty?src=hashtag_clicktip /hashtag/bugbounty?src=hashtag_clicktips"}, {"link": "https://twitter.com/infosecsanyam/status/1345295130568388611", "text": "RT /justin00800: RT /WPSecScanner: Write-up about the new Contact Form 7 upload RCE vulnerability by our security researcher Eshaan. CVE-2020-35489 affecting 5M+ websites https://t.co/450Grm9uZG?amp=1\n/hashtag/bugbounty?src=hashtag_click /hashtag/WordPress?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/PHP?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click /hashtag/bugbounty?src=hashtag_clicktip /hashtag/bugbounty?src=hashtag_clicktips"}, {"link": "https://twitter.com/ramonvfer/status/1345465854083944449", "text": "Pues parece ser que al final no andaba muy equivocado con el exploit para CVE-2020-35489 \nhttps://t.co/kArkLenckw?amp=1"}, {"link": "https://twitter.com/infosecsanyam/status/1345642421326114816", "text": "RT /cybersec_feeds: RT /infosecsanyam: RT /justin00800: RT /WPSecScanner: Write-up about the new Contact Form 7 upload RCE vulnerability by our security researcher Eshaan. CVE-2020-35489 affecting 5M+ websites https://t.co/450Grm9uZG?amp=1\n/hashtag/bugbounty?src=hashtag_click /hashtag/WordPress?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/PHP?src=hashtag_click /hashtag/CyberSecur?src=hashtag_click\u2026"}, {"link": "https://twitter.com/DevanCollins3/status/1350252663498268673", "text": "/sniko_ /dubstard /malwrhunterteam The /Namecheap phishing redirector https://t.co/Q9yBC9NsDR?amp=1 now leads to a vulnerable wordpress (CVE-2020-35489) hosting the phishing pages if sombody wants to have some fun hacking back. Maybe Harry can save the stolen crypto."}], "modified": "2020-12-23T13:51:57"}, "vulnersScore": 6.4}, "cpe": [], "affectedSoftware": [{"cpeName": "rocklobster:contact_form_7", "name": "rocklobster contact form 7", "operator": "lt", "version": "5.3.2"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:rocklobster:contact_form_7:5.3.2:*:*:*:*:wordpress:*:*", "versionEndExcluding": "5.3.2", "vulnerable": true}], "operator": "OR"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "cpe23": [], "cwe": ["CWE-434"], "scheme": null}
{"threatpost": [{"lastseen": "2020-12-17T23:23:41", "bulletinFamily": "info", "cvelist": ["CVE-2020-35489"], "description": "A patch for the popular WordPress plugin called Contact Form 7 was released Thursday. It fixes a critical bug that allows an unauthenticated adversary to takeover a website running the plugin or possibly hijack the entire server hosting the site. [The patch](<https://contactform7.com/2020/12/>) comes in the form of a 5.3.2 version update to the Contact Form 7 plugin.\n\nThe WordPress utility is active on 5 million websites with a majority of those sites ([70 percent](<https://wordpress.org/plugins/contact-form-7/advanced/>)) running version 5.3.1 or older of the Contact Form 7 plugin.\n\nThe critical vulnerability ([CVE-2020-35489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489>)) is classified as an unrestricted file upload bug, according to [Astra Security Research, which found the flaw on Wednesday](<https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/>).\n\n## **Quick Fix **\n\n\u201cThe plugin developer ([Takayuki Miyoshi](<https://contactform7.com/>)) was quick to fix the vulnerability, realizing its critical nature. We communicated back and forth trying to release the update as soon as possible to prevent any exploitation. An update fixing the issue has already been released, [in version 5.3.2](<https://contactform7.com/2020/12/>),\u201d according to Astra. \n[](<https://threatpost.com/newsletter-sign/>)The bug hunter credited for identifying the flaw, [Jinson Varghese](<https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/>), wrote that the vulnerability allows an unauthenticated user to bypass any form file-type restrictions in Contact Form 7 and upload an executable binary to a site running the plugin version 5.3.1 or earlier.\n\nNext, the adversary can do a number of malicious things, such as deface the website or redirect visitors to a third-party website in attempt to con visitors into handing over financial and personal information.\n\nIn addition to taking over the targeted website, an attacker could also commandeer the server hosting the site if there is no containerization used to segregate the website on the server hosting the WordPress instance, according to researchers.\n\n## **Easy to Exploit**\n\n\u201cIt is easily exploitable. And the attacker wouldn\u2019t need to be authenticated and the attack can be done remotely,\u201d said Naman Rastogi, digital marketer and growth hacker with Astra, in an email interview with Threatpost.\n\nHe said a Contact Form 7 update has now been pushed. \u201cFor users who have automatic updates on for WordPress plugin the software will automatically update. For others, they indeed will be required to proactively update,\u201d he told Threatpost.\n\nTo keep perspective on the bug, web analytics firm Netcraft estimates there are 455 million websites using the WordPress platform right now. That suggests 1.09 percent of WordPress sites could be vulnerable to attack via this flaw.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2020-12-17T22:27:38", "published": "2020-12-17T22:27:38", "id": "THREATPOST:0E15C66722D04D8B54AE59F8976CEDAF", "href": "https://threatpost.com/contact-form-7-plugin-bug/162383/", "type": "threatpost", "title": "5M WordPress Sites Running 'Contact Form 7' Plugin Open to Attack", "cvss": {"score": 0.0, "vector": "NONE"}}], "wpvulndb": [{"lastseen": "2020-12-31T08:24:29", "bulletinFamily": "software", "cvelist": ["CVE-2020-35489"], "description": "The popular WordPress plugin, Contact Form 7 was found to be vulnerable to Unrestricted File Upload.\n\n### PoC\n\nAppend a unicode special character (from U+0000 [null] to U+001F [us]) to a filename and upload it via the ContactForm7 upload feature\n", "modified": "2020-12-21T10:53:24", "published": "2020-12-17T00:00:00", "id": "WPVDB-ID:10508", "href": "https://wpvulndb.com/vulnerabilities/10508", "type": "wpvulndb", "title": "Contact Form 7 < 5.3.2 - Unrestricted File Upload", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "wpexploit": [{"lastseen": "2020-12-31T08:24:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-35489"], "description": "The popular WordPress plugin, Contact Form 7 was found to be vulnerable to Unrestricted File Upload.\n", "modified": "2020-12-21T10:53:24", "published": "2020-12-17T00:00:00", "id": "WPEX-ID:10508", "href": "", "type": "wpexploit", "title": "Contact Form 7 < 5.3.2 - Unrestricted File Upload", "sourceData": "Append a unicode special character (from U+0000 [null] to U+001F [us]) to a filename and upload it via the ContactForm7 upload feature", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
