Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2020-36847
Critical
Low
Medium
High
Critical
9.8
CVSS Score
Published: Jul 12, 2025
Last Modified: Jul 29, 2025
Vulnerability Description
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
H
Known Affected Software
35 configuration(s) from 1 vendor(s)
simple_file_list
Version:
3.2.7
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.7:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.4
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.4:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.6
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.6:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.16
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.16:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.14
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.14:*:*:*:*:wordpress:*:*
simple_file_list
Version:
4.1.3
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:4.1.3:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.13
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.13:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.10
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.10:*:*:*:*:wordpress:*:*
simple_file_list
Version:
1.0.1
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:1.0.1:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.0.5
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.0.5:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.15
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.15:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.17
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.17:*:*:*:*:wordpress:*:*
simple_file_list
Version:
4.2.2
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:4.2.2:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.0.6
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.0.6:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.1
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.1:*:*:*:*:wordpress:*:*
simple_file_list
Version:
1.0.3
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:1.0.3:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.0.4
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.0.4:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.2
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.2:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.8
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.8:*:*:*:*:wordpress:*:*
simple_file_list
Version:
4.1.2
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:4.1.2:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.1.1
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.1.1:*:*:*:*:wordpress:*:*
simple_file_list
Version:
2.0.8
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:2.0.8:*:*:*:*:wordpress:*:*
simple_file_list
Version:
4.2.1
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:4.2.1:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.12
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.12:*:*:*:*:wordpress:*:*
simple_file_list
Version:
4.1.0
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:4.1.0:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.3
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.3:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.5
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.5:*:*:*:*:wordpress:*:*
simple_file_list
Version:
2.0.7
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:2.0.7:*:*:*:*:wordpress:*:*
simple_file_list
Version:
1.0
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:1.0:*:*:*:*:wordpress:*:*
simple_file_list
Version:
4.1.1
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:4.1.1:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.1.2
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.1.2:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.11
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.11:*:*:*:*:wordpress:*:*
simple_file_list
Version:
1.0.4
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:1.0.4:*:*:*:*:wordpress:*:*
simple_file_list
Version:
3.2.9
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:3.2.9:*:*:*:*:wordpress:*:*
simple_file_list
Version:
1.0.2
CPE:
cpe:2.3:a:simplefilelist:simple_file_list:1.0.2:*:*:*:*:wordpress:*:*
This vulnerability affects 35 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://packetstormsecurity.com/files/160221/security@wordfence.com Exploit
-
https://plugins.trac.wordpress.org/changeset/2286920/simple-file-listsecurity@wordfence.com Patch
-
https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/security@wordfence.com Exploit Third Party Advisory
-
https://www.cybersecurity-help.cz/vdb/SB2020042711security@wordfence.com Third Party Advisory
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=cvesecurity@wordfence.com Third Party Advisory
-
https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit Third Party Advisory
Severity Details
9.8
out of 10.0
Critical
Key Information
- Published Date
- July 12, 2025
