CVE-2020-12800

CRITICAL EXPLOITED IN THE WILD NUCLEI

Wordpress Drag and Drop Multi File Uploader RCE

Title source: metasploit

Exploitation Summary

CVE-2020-12800 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including amartinsec, h00die, Austin Martin <[email protected]>, including a Metasploit module exploits/multi/http/wp_dnd_mul_file_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits an unrestricted file upload vulnerability in the WordPress plugin 'Drag and Drop Multiple File Upload - Contact Form 7' (CVE-2020-12800). It bypasses file type restrictions by appending '%' to the filename and allowed file type, enabling PHP file uploads for remote code execution.

Description

The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.

Exploits (2)

nomisec WORKING POC 27 stars

by amartinsec · remote

https://github.com/amartinsec/CVE-2020-12800

View Code ZIP pw:eip

This PoC exploits an unrestricted file upload vulnerability in the WordPress plugin 'Drag and Drop Multiple File Upload - Contact Form 7' (CVE-2020-12800). It bypasses file type restrictions by appending '%' to the filename and allowed file type, enabling PHP file uploads for remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Plugin 'Drag and Drop Multiple File Upload - Contact Form 7' version 1.3.3.2

No auth needed

Prerequisites: Target must have the vulnerable plugin installed · Network access to the WordPress admin-ajax.php endpoint

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by h00die, Austin Martin <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_dnd_mul_file_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a file upload vulnerability in the WordPress Drag and Drop Multi File Upload plugin (CVE-2020-12800) by bypassing file extension restrictions to upload a malicious PHP shell. It automates the process of uploading the payload and locating it for execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Drag and Drop Multi File Upload - Contact Form 7 < 1.3.4

No auth needed

Prerequisites: Target running vulnerable plugin version · Network access to WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution

CRITICALby dwisiswant0

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html

Release Notes, Third Party Advisory x_refsource_confirm

https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers

Scores

CVSS v3 9.8

EPSS 0.9388

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

CWE

CWE-434

Status published

Products (1)

codedropz/drag_and_drop_multiple_file_upload_-_contact_form_7 < 1.3.3.3

Published Jun 08, 2020

Tracked Since Feb 18, 2026