Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2020-35489 PoC — Wordpress contact-form-7 代码问题漏洞

Source
https://github.com/dn9uy3n/Check-WP-CVE-2020-35489
Associated Vulnerability
Title:Wordpress contact-form-7 代码问题漏洞 (CVE-2020-35489)
Description:The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
Description
The (WordPress) website test script can be exploited for Unlimited File Upload via CVE-2020-35489
Readme
# Check-WP-CVE-2020-35489

## CVE-2020-35489
The CVE-2020-35489 is discovered in the WordPress plugin Contact Form 7 5.3.1 and older versions. By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website.

An estimated **5 million** websites were affected.

The PoC will be displayed on December 31, 2020, to give users the time to update.

## Reference
https://wpscan.com/vulnerability/10508

https://contactform7.com/2020/12/17/contact-form-7-532/#more-38314

https://cwe.mitre.org/data/definitions/434.html

## Run script
```
$ python3 check_CVE-2020-35489.py -d domaintest.com

Contact Form 7 version: 5.1.3
domaintest.com is vulnerable!
```

```
$ python3 check_CVE-2020-35489.py -i in.txt -o out.txt
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →