CVE-2020-35489

Name of the Vulnerable Software and Affected Versions Contact Form 7 versions prior to 5.3.2

Description The issue is related to an Unrestricted File Upload vulnerability in the Contact Form 7 plugin for WordPress, which can lead to remote code execution. This is because a filename may contain special characters. The vulnerability affects over 5 million active installations. It allows an attacker to upload files of arbitrary type and execute arbitrary code.

Recommendations For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to prevent exploitation until the update is applied. Avoid using filenames that contain special characters in the affected plugin until the issue is resolved.