diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml
new file mode 100644
index 00000000000..38c6fb3ae61
--- /dev/null
+++ b/cves/2020/CVE-2020-35489.yaml
@@ -0,0 +1,30 @@
+id: CVE-2020-35489
+
+info:
+  name: WordPress Contact Form 7 Plugin - Unrestricted File Upload
+  author: soyelmago
+  severity: critical
+  description: The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2020-35489
+  tags: cve,cve2020,wordpress,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/contact-form-7/readme.txt"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "Contact Form 7"
+        part: body
+
+      - type: regex
+        regex:
+          - '^([0-4]\.|5\.[0-2]\.|5\.3\.[0-1]$)'
+        part: body
\ No newline at end of file
diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml
index a946498d2f1..48e27c39645 100644
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@@ -28,6 +28,7 @@ workflows:
           - template: cves/2020/CVE-2020-13700.yaml
           - template: cves/2020/CVE-2020-14092.yaml
           - template: cves/2020/CVE-2020-35951.yaml
+          - template: cves/2020/CVE-2020-35489.yaml
           - template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
           - template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
           - template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml