Critical

Unrestricted File Upload RCE in Contact Form 7 for WordPress

IdentifiersCVE-2020-35489CWE-434· Unrestricted Upload of File with…

CVE-2020-35489 affects the Contact Form 7 WordPress plugin before version 5.3.2. The vulnerability is an unrestricted file upload issue caused by insufficient validation of uploaded filenames, specifically because a filename may contain special characters. This weakness can allow an attacker to upload a crafted file in a way that bypasses intended restrictions and results in remote code execution on the server hosting the vulnerable WordPress instance.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow remote code execution in the context of the web server and WordPress environment. Depending on server configuration, this may enable full site compromise, deployment of web shells or other malware, modification of site content, theft of application data, and potential pivoting to further access on the underlying host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable file upload functionality in Contact Form 7 where feasible, limit access to forms that accept attachments, and enforce server-side controls preventing execution of uploaded files in writable directories. Additional mitigations include WAF rules for suspicious multipart upload requests, monitoring upload paths for executable content, and validating that upload directories do not permit script execution.

Remediation

Patch, then assume compromise.

Upgrade the Contact Form 7 plugin to version 5.3.2 or later, which addresses the vulnerable file upload handling. Review the WordPress instance for unauthorized uploaded files, web shells, and other indicators of compromise if the vulnerable version was exposed. Apply standard hardening for upload directories and ensure least-privilege permissions for the web server account.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

RocklobsterContact Form 7application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

ctoatncsc substackNews

Apr 20, 2025

CTO at NCSC Summary: week ending April 20th

A specific vulnerability referenced in the context of a trojanized proof-of-concept exploit repository that led to malware infection when executed.

chocapikkNews

Feb 7, 2025

How I Got Hacked: A Warning about Malicious PoCs

A vulnerability identifier used as bait in a trojanized fake PoC repository; the content does not describe the underlying flaw itself, but focuses on malicious code masquerading as an exploit for this CVE.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-35489

NVD

nvd.nist.gov/vuln/detail/CVE-2020-35489

MITRE CWE · CWE-434

Unrestricted Upload of File with Dangerous Type

Vendor Advisory

contactform7.com/2020/12/17/contact-form-7-532

Third Party Advisory

wordpress.org/plugins/contact-form-7

Third Party Advisory

wpscan.com/vulnerability/10508

Third Party Advisory

getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload

Third Party Advisory

jinsonvarghese.com/unrestricted-file-upload-in-contact-form-7