cbcvebase.
CVE-2020-12800
published 2020-06-08

CVE-2020-12800: The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
78.75%
99.5th percentile
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.

Affected

1 ranges
VendorProductVersion rangeFixed in
codedropzdrag_and_drop_multiple_file_upload_contact_form_7< 1.3.3.31.3.3.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/
filename*.php%
commandaction=dnd_codedropz_upload
othersupported_type=php%
  • Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php with multipart form-data containing the 'action' field set to 'dnd_codedropz_upload' and a 'supported_type' value ending in '%' (e.g., 'php%').
  • Alert on file uploads where the filename contains a trailing '%' character (e.g., '.php%', '.txt%'), as this is the bypass technique used to circumvent extension filtering.
  • Monitor GET requests to /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/ for PHP file execution, which would indicate a successfully uploaded webshell being triggered.
  • No authentication is required for exploitation; unauthenticated POST requests to admin-ajax.php with the dnd_codedropz_upload action should be treated as highly suspicious.
  • The Content-Type of the uploaded file is set to 'application/x-httpd-php' regardless of the filename extension, which can be used as an additional detection signal in HTTP inspection.
  • ·The '%' bypass only works on plugin versions prior to 1.3.3.3 (some sources cite 1.3.4 as the fixed version). Detections targeting the '%' suffix in filenames or supported_type are specific to this unpatched range.
  • ·The upload directory path /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/ is plugin-specific and may vary if the WordPress installation uses a non-default uploads directory.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.