CVE-2020-12800
published 2020-06-08CVE-2020-12800: The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
78.75%
99.5th percentile
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codedropz | drag_and_drop_multiple_file_upload_contact_form_7 | < 1.3.3.3 | 1.3.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php with multipart form-data containing the 'action' field set to 'dnd_codedropz_upload' and a 'supported_type' value ending in '%' (e.g., 'php%'). ↗
- →Alert on file uploads where the filename contains a trailing '%' character (e.g., '.php%', '.txt%'), as this is the bypass technique used to circumvent extension filtering. ↗
- →Monitor GET requests to /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/ for PHP file execution, which would indicate a successfully uploaded webshell being triggered. ↗
- →No authentication is required for exploitation; unauthenticated POST requests to admin-ajax.php with the dnd_codedropz_upload action should be treated as highly suspicious. ↗
- →The Content-Type of the uploaded file is set to 'application/x-httpd-php' regardless of the filename extension, which can be used as an additional detection signal in HTTP inspection. ↗
- ·The '%' bypass only works on plugin versions prior to 1.3.3.3 (some sources cite 1.3.4 as the fixed version). Detections targeting the '%' suffix in filenames or supported_type are specific to this unpatched range. ↗
- ·The upload directory path /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/ is plugin-specific and may vary if the WordPress installation uses a non-default uploads directory. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f9h8-9393-wwc5: The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1
ghsa_unreviewed·2022-05-24
CVE-2020-12800 [HIGH] GHSA-f9h8-9393-wwc5: The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
VulnCheck
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
vulncheck·2020·CVSS 9.8
CVE-2020-12800 [CRITICAL] codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
Affected: codedropz drag_and_drop_multiple_file_upload_-_contact_form_7
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2020-12800; https://dashboard.
No detection rules found.
Metasploit
Wordpress Drag and Drop Multi File Uploader RCE
metasploit
Wordpress Drag and Drop Multi File Uploader RCE
Wordpress Drag and Drop Multi File Uploader RCE
This module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.
Nuclei
WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-12800 [CRITICAL] WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution
WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution
WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.
Template:
id: CVE-2020-12800
info:
name: WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supported_type to php% and uploading a .php% file.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected WordPress site.
remediation: |
Update the Contact Form 7 plugin to version 1.3.3.3 or later to mitigate this vulnerability.
reference:
- https:
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.htmlhttps://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developershttps://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.htmlhttps://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
2020-06-08
Published
Exploited in the wild