CVE-2020-12800 — AI Deep Analysis Summary

🚨 **Essence**: Unrestricted file upload in WordPress plugin. 💥 **Consequences**: Attackers upload `.php%` files to achieve **Remote Code Execution (RCE)**. The server becomes fully compromised.

🛡️ **CWE**: CWE-434 (Unrestricted Upload of File with Dangerous Type). 🐛 **Flaw**: The plugin fails to validate file extensions properly. It allows dangerous types like PHP when `supported_type` is manipulated.

📦 **Product**: WordPress Plugin: **Drag and Drop Multi File Upload - Contact Form 7**. 📉 **Affected Versions**: Versions **before 1.3.3.3**. Core WordPress is not directly vulnerable, only this specific plugin.

👑 **Privileges**: Full **Remote Code Execution (RCE)**. 📂 **Data**: Attackers can execute arbitrary PHP code, access sensitive data, install backdoors, and take over the entire website.

⚡ **Threshold**: **LOW**. 🚪 **Auth**: No authentication required. 📝 **Config**: Exploitation is straightforward via HTTP requests. No complex setup needed.

🔓 **Exploit**: **YES**. Public POCs exist on GitHub (e.g., by @amartinsec) and Nuclei templates. Wild exploitation is highly likely due to ease of use.

🔍 **Check**: Scan for the plugin name. 🧪 **Test**: Try uploading a file with extension `.php%`. If the server executes it, you are vulnerable. Use automated scanners like Nuclei.

✅ **Fixed**: **YES**. Official patch released in version **1.3.3.3**. 🔄 **Action**: Update the plugin immediately to the latest safe version.

🚧 **Workaround**: If you cannot update, **disable the plugin** immediately. 🚫 **Block**: Restrict upload directories via `.htaccess` or WAF rules to block PHP execution in upload folders.

🔥 **Priority**: **CRITICAL**. 🚨 **Urgency**: High. RCE via simple upload is a top-tier threat. Patch immediately to prevent server takeover.