Description

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

Remediation

References

CVE-2020-35489

Related Vulnerabilities

WordPress 4.3.x Arbitrary File Deletion Vulnerability (4.3 - 4.3.16)

WordPress Plugin Email Verification for WooCommerce Unspecified Vulnerability (1.8.1)

WordPress Plugin WP Mobile Detector Arbitrary File Upload (3.5)

WordPress Ultimate Member Plugin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-6944)

SharePoint Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-24955)

Severity

Critical

Classification

CVE-2020-35489 CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities