CVE-2020-12800 Overview
CVE-2020-12800 is a critical unrestricted file upload vulnerability in the Drag and Drop Multiple File Upload plugin for WordPress Contact Form 7. The vulnerability exists in versions prior to 1.3.3.3 and allows attackers to bypass file type restrictions by manipulating the supported_type parameter to accept .php% files. This enables unauthenticated remote code execution on affected WordPress installations.
Critical Impact
Attackers can upload and execute arbitrary PHP code on vulnerable WordPress servers, leading to complete site compromise, data theft, malware distribution, and lateral movement within hosting environments.
Affected Products
- Codedropz Drag and Drop Multiple File Upload - Contact Form 7 versions prior to 1.3.3.3
- WordPress installations using the vulnerable plugin versions
- Websites with Contact Form 7 configured with the drag-and-drop file upload extension
Discovery Timeline
- 2020-06-08 - CVE-2020-12800 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-12800
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The plugin fails to properly validate and sanitize file extensions during the upload process. By appending a percent sign (%) to the PHP extension and configuring the supported_type parameter to accept php%, attackers can bypass the file type whitelist mechanism entirely.
The attack requires no authentication and can be executed remotely through standard HTTP requests to the WordPress site. Once a malicious PHP file is uploaded, the attacker can access it directly via the web server, triggering code execution with the privileges of the web server process.
Root Cause
The root cause lies in insufficient file extension validation logic within the plugin. The validation routine does not properly handle URL-encoded or specially crafted file extensions. When the supported_type configuration is manipulated to include php%, the plugin accepts files with the .php% extension. However, web servers may process these files as standard PHP scripts depending on configuration, allowing arbitrary code execution.
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. An attacker targets a vulnerable WordPress installation by:
- Identifying a form using the vulnerable plugin
- Crafting a malicious HTTP request that sets supported_type to php%
- Uploading a PHP webshell or malicious script with a .php% extension
- Accessing the uploaded file directly to trigger code execution
The vulnerability allows attackers to completely compromise the web application, potentially leading to database access, credential theft, defacement, or use of the server for further malicious activities.
Detection Methods for CVE-2020-12800
Indicators of Compromise
- Unexpected PHP files in WordPress upload directories, particularly with unusual extensions like .php%
- Web server access logs showing POST requests to Contact Form 7 endpoints with suspicious file uploads
- New or modified PHP files in /wp-content/uploads/ directories with recent timestamps
- Anomalous outbound connections from the web server process
Detection Strategies
- Monitor WordPress upload directories for newly created executable files
- Implement file integrity monitoring on WordPress installations
- Review web server logs for POST requests containing supported_type parameters with php variants
- Deploy web application firewalls (WAF) with rules to detect file upload bypass attempts
- Scan for known webshell signatures in upload directories
Monitoring Recommendations
- Enable detailed logging for file upload operations in WordPress
- Set up alerts for executable file creation in upload directories
- Monitor for unusual process spawning from web server processes
- Implement regular malware scanning on WordPress file systems
How to Mitigate CVE-2020-12800
Immediate Actions Required
- Update the Drag and Drop Multiple File Upload - Contact Form 7 plugin to version 1.3.3.3 or later immediately
- Audit all files in WordPress upload directories for unauthorized PHP files
- Review web server logs for evidence of exploitation attempts
- Consider temporarily disabling file upload functionality if immediate patching is not possible
Patch Information
The vulnerability has been addressed in version 1.3.3.3 and later of the plugin. Site administrators should update through the WordPress plugin management interface or download the latest version from the WordPress Plugin Developer Page. Additional technical details regarding exploitation are documented in the Packet Storm Exploit Analysis.
Workarounds
- Restrict file upload types at the web server level using Apache or Nginx configuration
- Implement server-side file type validation independent of the plugin
- Block execution of PHP files in upload directories using .htaccess or server configuration
- Deploy a web application firewall to filter malicious upload requests
- Consider removing the plugin entirely if file upload functionality is not required
# Apache .htaccess to prevent PHP execution in uploads directory
# Place in /wp-content/uploads/.htaccess
<FilesMatch "\.php.*$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx configuration to block PHP execution in uploads
location ~* /wp-content/uploads/.*\.php$ {
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
