CVE-2020-36847

Simple File List < 4.2.3 - Remote Code Execution

CVSS 9.8 CRITICALEPSS 12.6%CWE-434

Vexday Risk Score

68High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 12.6%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

27 Apr 2020Metasploit module available

12 Jul 2025Published on NVD

22 Jul 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

eemitch · Simple File List

public PoCs found — 3

githubgithub.com/ftz7/PoC-CVE-2020-36847-WordPress-Plugin-4.2.2-RCE★ 1 cve_referencepacketstormsecurity.com/files/160221/unverified exploitdbwww.exploit-db.com/exploits/52371unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://packetstormsecurity.com/files/160221/https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/https://www.cybersecurity-help.cz/vdb/SB2020042711 https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=cve