vulnerability

WordPress Plugin: simple-file-list: CVE-2020-36847: Unrestricted Upload of File with Dangerous Type

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Nov 2, 2020	Jul 14, 2025	Jul 14, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Nov 2, 2020

Added

Jul 14, 2025

Modified

Jul 14, 2025

Description

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Solution

simple-file-list-plugin-cve-2020-36847

References

URL-https://www.cve.org/CVERecord?id=CVE-2020-36847
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=api-prod
CVE-2020-36847
https://attackerkb.com/topics/CVE-2020-36847
CWE-434

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today