CVSS: 10.0EPSS: 81%CPEs: 1EXPL: 3CVE-2020-35489 – Contact Form 7 <= 5.3.1 - Arbitrary File Upload via Bypass
https://notcve.org/view.php?id=CVE-2020-35489
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. El plugin contact-form-7 (también se conoce como Contact Form 7) versiones anteriores a 5.3.2 para WordPress, permite una Carga de Archivos Sin Restricciones y una ejecución de código remota porque un nombre de archivo puede contener caracteres especiales The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads in versions up to 5.3.2. This is due to the fact that the plugin allows filenames to contain special characters which may make extension filter evasion possible on certain configurations. Our team was not able to reproduce this issue which leads us to believe there is a high attack complexity or special configuration requirement. • https://github.com/dn9uy3n/Check-WP-CVE-2020-35489 https://github.com/Cappricio-Securities/CVE-2020-35489 https://github.com/X0UCYB3R/Check-WP-CVE-2020-35489 https://contactform7.com/2020/12/17/contact-form-7-532 https://wordpress.org/plugins/contact-form-7/#developers https://wpscan.com/vulnerability/10508 https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20979 – Contact Form 7 <= 5.0.3 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2018-20979
The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type. El plugin contact-form-7 versiones anteriores a 5.0.4 para WordPress, presenta una escalada de privilegios debido al manejo inapropiado de capability_type en register_post_type. The Contact Form 7 plugin for WordPress is vulnerable to authorization bypass due to capability_type mishandling in register_post_type in versions up to, and including, 5.0.3. This makes it possible for authenticated attackers with contributor level privileges and above to modify contact forms and potential supply paths to sensitive files that make sensitive information disclosure possible. • https://wordpress.org/plugins/contact-form-7/#developers • CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2014-2265 – Contact Form 7 < 3.7.2 - CAPTCHA Bypass
https://notcve.org/view.php?id=CVE-2014-2265
Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter. Rock Lobster Contact Form 7 anterior a 3.7.2 permite a los atacantes remotos omitir el mecanismo de protección CAPTCHA y enviar datos de formularios arbitrarios omitiendo el parámetro _wpcf7_captcha_challenge_captcha-719. • http://contactform7.com/2014/02/26/contact-form-7-372 http://web.archive.org/web/20140727133642/http://www.hedgehogsecurity.co.uk/2014/02/26/contactform7-vulnerability http://wordpress.org/plugins/contact-form-7/changelog https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-contact-form-7-security-bypass-3-7-1 https://www.cvedetails.com/cve/CVE-2014-2265 • CWE-264: Permissions, Privileges, and Access Controls CWE-693: Protection Mechanism Failure •