CVE-2020-36847

high-risk
Published 2025-07-12

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Do I need to act?

!
87.2% chance of exploitation in next 30 days
EPSS score — higher than 13% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
52371
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Simple File List

Affected Vendors

Simplefilelist

References (6)

Exploit https://packetstormsecurity.com/files/160221/
Patch https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list
Exploit https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/
Third Party Advisory https://www.cybersecurity-help.cz/vdb/SB2020042711
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856...
Exploit https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/
57
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal