CVE-2020-36847
published 2025-07-12CVE-2020-36847: The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
12.63%
95.8th percentile
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eemitch | simple_file_list | < 4.2.3 | 4.2.3 |
| simplefilelist | simple_file_list | < 4.2.3 | 4.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to ee-upload-engine.php uploading a file with a .png extension but PHP content (PHP webshell payload masquerading as image/png). ↗
- →Detect unauthenticated POST requests to ee-file-engine.php with parameters 'oldFile' and 'newFile' where newFile changes a .png extension to .php — this is the rename step that enables RCE. ↗
- →Alert on any GET request to wp-content/uploads/simple-file-list/*.php, which indicates a successfully renamed and potentially executed webshell. ↗
- →The rename function does not enforce file extension restrictions; monitor for any .php files appearing under the simple-file-list upload directory. ↗
- →Use the Google Dork to identify exposed WordPress instances running the vulnerable plugin for proactive scanning. ↗
- ·The vulnerability affects Simple-File-List plugin versions up to and including 4.2.2; version 4.2.3 and later contain the fix. Ensure detections target only hosts running the vulnerable version range. ↗
- ·The exploit is unauthenticated — no session cookie or credentials are required, meaning WAF rules must block at the network/HTTP layer without relying on auth-state context. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-34hm-qhxq-8vfv: The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4
ghsa_unreviewed·2025-07-12
CVE-2020-36847 [CRITICAL] CWE-434 GHSA-34hm-qhxq-8vfv: The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
VulnCheck
simplefilelist simple_file_list Unrestricted Upload of File with Dangerous Type
vulncheck·2020·CVSS 9.8
CVE-2020-36847 [CRITICAL] simplefilelist simple_file_list Unrestricted Upload of File with Dangerous Type
simplefilelist simple_file_list Unrestricted Upload of File with Dangerous Type
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
Affected: simplefilelist simple_file_list
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://ctrlaltintel.com/research/Wordpress/
Exploit PoC: https://vulncheck.com/xdb/ec52bbb216f8; https://vulncheck.com/xdb/ee72a50e36ee
No detection rules found.
Exploit-DB
Simple File List WordPress Plugin 4.2.2 - File Upload to RCE
exploitdb·2025-07-22·CVSS 9.8
CVE-2020-36847 [CRITICAL] Simple File List WordPress Plugin 4.2.2 - File Upload to RCE
Simple File List WordPress Plugin 4.2.2 - File Upload to RCE
---
# Exploit Title: Simple File List WordPress Plugin 4.2.2 - File Upload to RCE
# Google Dork: inurl:/wp-content/plugins/simple-file-list/
# Date: 2025-07-15
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/simple-file-list/
# Software Link:
https://downloads.wordpress.org/plugin/simple-file-list.4.2.2.zip
# Version: "
UPLOAD_PATH = "wp-content/plugins/simple-file-list/ee-upload-engine.php"
RENAME_PATH = "wp-content/plugins/simple-file-list/ee-file-engine.php"
UPLOAD_FOLDER = "wp-content/uploads/simple-file-list/"
def FilterURLS(site):
site = site.strip()
if not site.startswith(('http://', 'https://')):
site = 'http://' + site
if not site.endswith('/'):
site += '/'
return site
def
Metasploit
WordPress Simple File List Unauthenticated Remote Code Execution
metasploit
WordPress Simple File List Unauthenticated Remote Code Execution
WordPress Simple File List Unauthenticated Remote Code Execution
Simple File List (simple-file-list) plugin before 4.2.3 for WordPress allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed to php and executed.
No writeups or analysis indexed.
https://packetstormsecurity.com/files/160221/https://plugins.trac.wordpress.org/changeset/2286920/simple-file-listhttps://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/https://www.cybersecurity-help.cz/vdb/SB2020042711https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=cvehttps://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/
2025-07-12
Published
Exploited in the wild