CVE-2020-12800

CRITICAL EXPLOITED IN THE WILD NUCLEI

Wordpress Drag and Drop Multi File Uploader RCE

Title source: metasploit

Description

The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.

Exploits (2)

nomisec WORKING POC 27 stars

by amartinsec · remote

https://github.com/amartinsec/CVE-2020-12800

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by h00die, Austin Martin <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_dnd_mul_file_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution

CRITICALby dwisiswant0

References (2)

[Exploit, Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers

Scores

CVSS v3 9.8

EPSS 0.9388

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

CWE

CWE-434

Status published

Products (1)

codedropz/drag_and_drop_multiple_file_upload_-_contact_form_7 < 1.3.3.3

Published Jun 08, 2020

Tracked Since Feb 18, 2026