cbcvebase.
CVE-2020-36847
published 2025-07-12

CVE-2020-36847: The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
12.63%
95.8th percentile
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Affected

2 ranges
VendorProductVersion rangeFixed in
eemitchsimple_file_list< 4.2.34.2.3
simplefilelistsimple_file_list< 4.2.34.2.3

Detection & IOCsextracted from sources · hover to see the quote

pathwp-content/plugins/simple-file-list/ee-upload-engine.php
pathwp-content/plugins/simple-file-list/ee-file-engine.php
pathwp-content/uploads/simple-file-list/
  • Detect unauthenticated POST requests to ee-upload-engine.php uploading a file with a .png extension but PHP content (PHP webshell payload masquerading as image/png).
  • Detect unauthenticated POST requests to ee-file-engine.php with parameters 'oldFile' and 'newFile' where newFile changes a .png extension to .php — this is the rename step that enables RCE.
  • Alert on any GET request to wp-content/uploads/simple-file-list/*.php, which indicates a successfully renamed and potentially executed webshell.
  • The rename function does not enforce file extension restrictions; monitor for any .php files appearing under the simple-file-list upload directory.
  • Use the Google Dork to identify exposed WordPress instances running the vulnerable plugin for proactive scanning.
  • ·The vulnerability affects Simple-File-List plugin versions up to and including 4.2.2; version 4.2.3 and later contain the fix. Ensure detections target only hosts running the vulnerable version range.
  • ·The exploit is unauthenticated — no session cookie or credentials are required, meaning WAF rules must block at the network/HTTP layer without relying on auth-state context.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.