CVE-2020-36847

Published: Jul 12, 2025Modified: Jul 29, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Affected (1)

Products: Simplefilelist: Simple File List

1 product

Simple File List

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Simplefilelist Simple File List	Before 4.2.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (6)

https://packetstormsecurity.com/files/160221/

Source: security@wordfence.com

Exploit

https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list

Source: security@wordfence.com

Patch

https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/

Source: security@wordfence.com

ExploitThird Party Advisory

https://www.cybersecurity-help.cz/vdb/SB2020042711

Source: security@wordfence.com

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=cve

Source: security@wordfence.com

Third Party Advisory

https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.