CVE-2020-35489

CRITICAL

Contact Form 7 < 5.3.2 - Unrestricted File Upload and Remote Code Execution via Filename Special Characters

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2020-35489. PoCs published by dn9uy3n, reneoliveirajr, incogbyte.

AI-analyzed exploit summary This repository contains a Python script that checks for the presence of CVE-2020-35489 by verifying the version of the Contact Form 7 WordPress plugin. It does not exploit the vulnerability but scans for vulnerable versions.

Description

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

Exploits (5)

nomisec SCANNER 31 stars

by dn9uy3n · poc

https://github.com/dn9uy3n/Check-WP-CVE-2020-35489

View Code ZIP pw:eip

This repository contains a Python script that checks for the presence of CVE-2020-35489 by verifying the version of the Contact Form 7 WordPress plugin. It does not exploit the vulnerability but scans for vulnerable versions.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress Contact Form 7 plugin versions < 5.3.2

No auth needed

Prerequisites: Access to the target WordPress site's plugin directory

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 12 stars

by reneoliveirajr · poc

https://github.com/reneoliveirajr/wp_CVE-2020-35489_checker

View Code ZIP pw:eip

This repository contains a Python-based scanner to detect WordPress sites vulnerable to CVE-2020-35489, a file upload vulnerability in Contact Form 7 plugin versions before 5.3.2. It checks plugin versions via readme.txt but does not include exploit code.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress Contact Form 7 < 5.3.2

No auth needed

Prerequisites: Access to target WordPress site · Contact Form 7 plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 4 stars

by incogbyte · pythonpoc

https://github.com/incogbyte/cves_exploits/tree/main/CVE-2020-35489

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-35489, an unrestricted file upload vulnerability in Contact Form 7 WordPress plugin versions < 5.3.2. The exploit checks for vulnerable versions and attempts to upload a PHP shell by manipulating the file extension and MIME type.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Contact Form 7 WordPress plugin < 5.3.2

No auth needed

Prerequisites: Contact Form 7 plugin with file upload field enabled · Misconfigured upload directory

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SCANNER 2 stars

by Cappricio-Securities · poc

https://github.com/Cappricio-Securities/CVE-2020-35489

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting CVE-2020-35489, a vulnerability in Contact Form 7. The tool checks for the presence of specific endpoints and responses indicative of the vulnerability but does not include exploit code.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Contact Form 7

No auth needed

Prerequisites: Target URL or list of URLs

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 2 stars

by X0UCYB3R · poc

https://github.com/X0UCYB3R/Check-WP-CVE-2020-35489

View Code ZIP pw:eip

This repository contains a Python script that checks for the presence of vulnerable versions of the WordPress Contact Form 7 plugin (CVE-2020-35489) by fetching the plugin's readme.txt file and comparing the version number. It does not exploit the vulnerability but scans for it.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress Contact Form 7 plugin versions < 5.3.2

No auth needed

Prerequisites: Access to the target WordPress site's /wp-content/plugins/contact-form-7/readme.txt file

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/contact-form-7/#developers

Third Party Advisory x_refsource_misc

https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload/

Vendor Advisory x_refsource_misc

https://contactform7.com/2020/12/17/contact-form-7-532/

Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/10508

Third Party Advisory x_refsource_misc

https://www.jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7/

Scores

CVSS v3 10.0

EPSS 0.8801

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

rocklobster/contact_form_7 < 5.3.2

Published Dec 17, 2020

Tracked Since Feb 18, 2026