cbcvebase.
CVE-2020-12832
published 2020-05-13

CVE-2020-12832: WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.13%
93.5th percentile
WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.

Affected

1 ranges
VendorProductVersion rangeFixed in
simplefilelistsimple-file-list< 4.2.84.2.8

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
pathwp-content%2Fuploads%2Fsimple-file-list%2F..%2F
path/wp-content/uploads/
commandaction=sfl_upload_job
  • Look for POST requests to /wp-admin/admin-ajax.php with action=sfl_upload_job and a multipart body containing eeSFL_FileUploadDir with path traversal sequences (%2F..%2F) to detect exploitation of CVE-2020-12832.
  • Monitor for the multipart form-data field eeSFL_FileUploadDir containing URL-encoded path traversal sequences (e.g., wp-content%2Fuploads%2Fsimple-file-list%2F..%2F) indicating an attempt to write files outside the upload directory.
  • Detect reconnaissance phase: GET requests to /?rest_route=/wp/v2/pages&per_page=100 followed by page slug enumeration looking for pages containing 'eeSFL_UploadGo' in rendered content.
  • Detect nonce harvesting: responses containing the regex pattern name="ee-simple-file-list-upload-nonce" with a value attribute, indicating an attacker is scraping the upload nonce prior to exploitation.
  • Alert on uploaded files appearing directly under /wp-content/uploads/ (not in the simple-file-list subdirectory), which indicates successful path traversal exploitation.
  • The multipart boundary ----WebKitFormBoundarytA7kTuCe4IHDaUBZ is used in the PoC/nuclei template and may appear in automated exploit traffic.
  • ·The path traversal payload uses URL-encoded separators; WAF/IDS rules must decode %2F before matching to avoid bypass.
  • ·Exploitation requires a valid eeSFL_ID and ee-simple-file-list-upload nonce, which the attacker harvests from the plugin's upload page before sending the malicious POST. Detection should cover the full multi-step attack chain, not just the final upload request.
  • ·The vulnerability affects Simple File List plugin versions before 4.2.8; installations at or above 4.2.8 are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.