Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-35489 PoC — Wordpress contact-form-7 代码问题漏洞

Source
https://github.com/X0UCYB3R/Check-WP-CVE-2020-35489
Associated Vulnerability
Title:Wordpress contact-form-7 代码问题漏洞 (CVE-2020-35489)
Description:The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Readme
# Check-WP-CVE-2020-35489

## CVE-2020-35489
The CVE-2020-35489 is discovered in the WordPress plugin Contact Form 7 5.3.1 and older versions. By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.

An estimated **5 million** websites were affected.

The PoC will be displayed on December 31, 2020, to give users the time to update.

## Reference
https://wpscan.com/vulnerability/10508

https://contactform7.com/2020/12/17/contact-form-7-532/#more-38314

https://cwe.mitre.org/data/definitions/434.html

## Run script
```
$ python3 check_CVE-2020-35489.py -d domaintest.com

Contact Form 7 version: 5.1.3
domaintest.com is vulnerable!
```

```
$ python3 check_CVE-2020-35489.py -i in.txt -o out.txt
```
File Snapshot

 [4.0K]  /data/pocs/5736639b52c7c6c3fd61bb57756eabd09fab4d71
├── [2.7K]  check_CVE-2020-35489.py
├── [1.5K]  factory.py
├── [ 823]  README.md
└── [   9]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →