Contact Form 7 is a WordPress plugin for managing multiple website contact forms. On December 16th, researchers at Astra Security discovered a critical vulnerability being tracked as CVE-2020-35489 which could allow an attacker to bypass file name sanitization checks to upload files of any type. By crafting a file name with two file extensions separated by special characters like a tab, an attacker could trick the plugin into accepting the file while discarding all characters after the first extension. Abusing this could lead to PHP scripts being uploaded and executed.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is