CVE-2020-12832
published 2020-05-13CVE-2020-12832: WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.13%
93.5th percentile
WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simplefilelist | simple-file-list | < 4.2.8 | 4.2.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
pathwp-content%2Fuploads%2Fsimple-file-list%2F..%2F
path/wp-content/uploads/
commandaction=sfl_upload_job
- →Look for POST requests to /wp-admin/admin-ajax.php with action=sfl_upload_job and a multipart body containing eeSFL_FileUploadDir with path traversal sequences (%2F..%2F) to detect exploitation of CVE-2020-12832.
- →Monitor for the multipart form-data field eeSFL_FileUploadDir containing URL-encoded path traversal sequences (e.g., wp-content%2Fuploads%2Fsimple-file-list%2F..%2F) indicating an attempt to write files outside the upload directory.
- →Detect reconnaissance phase: GET requests to /?rest_route=/wp/v2/pages&per_page=100 followed by page slug enumeration looking for pages containing 'eeSFL_UploadGo' in rendered content.
- →Detect nonce harvesting: responses containing the regex pattern name="ee-simple-file-list-upload-nonce" with a value attribute, indicating an attacker is scraping the upload nonce prior to exploitation.
- →Alert on uploaded files appearing directly under /wp-content/uploads/ (not in the simple-file-list subdirectory), which indicates successful path traversal exploitation.
- →The multipart boundary ----WebKitFormBoundarytA7kTuCe4IHDaUBZ is used in the PoC/nuclei template and may appear in automated exploit traffic.
- ·The path traversal payload uses URL-encoded separators; WAF/IDS rules must decode %2F before matching to avoid bypass.
- ·Exploitation requires a valid eeSFL_ID and ee-simple-file-list-upload nonce, which the attacker harvests from the plugin's upload page before sending the malicious POST. Detection should cover the full multi-step attack chain, not just the final upload request.
- ·The vulnerability affects Simple File List plugin versions before 4.2.8; installations at or above 4.2.8 are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h2cg-59q7-cp5x: The simple-file-list plugin before 4
ghsa_unreviewed·2022-05-24
CVE-2020-12832 [HIGH] GHSA-h2cg-59q7-cp5x: The simple-file-list plugin before 4
The simple-file-list plugin before 4.2.8 for WordPress mishandles a .. sequence within a pathname in cases where front-side file management occurs on a non-Linux platform.
VulnCheck
simplefilelist simple-file-list Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2020·CVSS 9.8
CVE-2020-12832 [CRITICAL] simplefilelist simple-file-list Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
simplefilelist simple-file-list Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.
Affected: simplefilelist simple-file-list
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-02&host_type=src&vulnerability=cve-2020-12832; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-31&host_type=src&vulnerability=cve-2020-12832; https://
No detection rules found.
Nuclei
WordPress Simple File List - Path Traversal
nuclei·CVSS 9.8
CVE-2020-12832 [CRITICAL] WordPress Simple File List - Path Traversal
WordPress Simple File List - Path Traversal
Simple File List plugin allows path traversal via file upload, enabling files to be written outside the upload directory.
Template:
id: CVE-2020-12832
info:
name: WordPress Simple File List - Path Traversal
author: riteshs4hu
severity: critical
description: |
Simple File List plugin allows path traversal via file upload, enabling files to be written outside the upload directory.
impact: |
Attackers can delete arbitrary files on the server, potentially causing data loss or service disruption.
remediation: |
Update to version 4.2.8 or later.
reference:
- https://wpscan.com/vulnerability/422360b9-4c70-4fd9-9833-375f1294bd7a/
- http://nvd.nist.gov/vuln/detail/CVE-2020-12832
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:
No writeups or analysis indexed.
https://ctulhu.me/2020/05/16/cve-2020-12832/https://plugins.trac.wordpress.org/changeset/2302759https://wordpress.org/plugins/simple-file-list/#developershttps://ctulhu.me/2020/05/16/cve-2020-12832/https://plugins.trac.wordpress.org/changeset/2302759https://wordpress.org/plugins/simple-file-list/#developers
2020-05-13
Published
Exploited in the wild