CVE-2020-12800
📋 TL;DR
This vulnerability in the WordPress Drag and Drop Multiple File Uploader plugin allows attackers to upload PHP files and execute arbitrary code on affected websites. Attackers can achieve remote code execution by exploiting improper file type validation. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Drag and Drop Multiple File Uploader for Contact Form 7
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, steal data, install malware, or take over the entire WordPress installation.
Likely Case
Website defacement, data theft, installation of backdoors or cryptocurrency miners, and potential lateral movement to other systems.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place, though risk remains elevated.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers can upload malicious PHP files without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3.3
Vendor Advisory: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Drag and Drop Multiple File Uploader for Contact Form 7'. 4. Click 'Update Now' if available, or manually update to version 1.3.3.3 or later. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate drag-and-drop-multiple-file-upload-contact-form-7
File Upload Restrictions
linuxConfigure web server to block .php file uploads in upload directories
Add to .htaccess in uploads directory: <FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove the plugin completely from the WordPress installation
- Implement strict file upload filtering at the web application firewall level
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Drag and Drop Multiple File Uploader for Contact Form 7' version. If version is below 1.3.3.3, the site is vulnerable.Check Version:
wp plugin get drag-and-drop-multiple-file-upload-contact-form-7 --field=versionVerify Fix Applied:
Confirm plugin version is 1.3.3.3 or higher in WordPress admin panel. Test file upload functionality with PHP files to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts with .php extensions
- Successful uploads of .php files to wp-content/uploads/ directory
- Unusual POST requests to /wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/
Network Indicators:
- HTTP POST requests with file uploads containing .php extensions
- Traffic to unexpected PHP files in upload directories
SIEM Query:
source="web_server" AND (uri_path="*drag-and-drop-multiple-file-upload*" OR file_extension="php") AND http_method="POST"🔗 References
- https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html
- https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
- https://packetstormsecurity.com/files/157951/WordPress-Drag-And-Drop-Multi-File-Uploader-Remote-Code-Execution.html
- https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/#developers
