CVE-2020-36847 in Simple-File-List Plugin
Summary
by MITRE • 07/12/2025
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/30/2025
The Simple-File-List WordPress plugin contains a critical remote code execution vulnerability documented as CVE-2020-36847 affecting versions up to and including 4.2.2. This vulnerability stems from insufficient input validation within the plugin's file renaming functionality, creating a pathway for unauthenticated attackers to execute arbitrary code on affected systems. The flaw specifically manifests when the plugin processes file renaming operations, allowing malicious actors to manipulate file extensions from png to php, thereby bypassing typical security restrictions that prevent execution of php files.
The technical exploitation occurs through the plugin's rename function which fails to properly sanitize user-supplied input during file operations. Attackers can upload a malicious php file with a .png extension and then use the vulnerable rename functionality to change its extension to .php, effectively converting a harmless image file into an executable script. This vulnerability directly maps to CWE-434, which describes insecure file upload vulnerabilities where applications fail to properly validate file types and extensions. The issue represents a classic case of insufficient input sanitization and improper file handling, allowing attackers to circumvent security controls designed to prevent execution of potentially malicious code.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with complete control over the affected WordPress installation. Once exploited, attackers can upload additional malicious files, modify existing content, steal sensitive data, or establish persistent access through backdoor installations. The vulnerability affects unauthenticated users, meaning any visitor to the website can potentially exploit this flaw without requiring valid credentials. This makes the attack surface particularly broad and dangerous for WordPress sites using the vulnerable plugin version, as the attack can be launched without prior authorization or knowledge of system credentials.
Security mitigations for CVE-2020-36847 primarily focus on immediate plugin updates to version 4.2.3 or later, which contains the necessary patches to address the file renaming validation issue. Organizations should also implement additional defensive measures including restricting file upload capabilities, implementing proper file extension validation, and deploying web application firewalls to monitor for suspicious file operations. The vulnerability aligns with ATT&CK technique T1190, which describes exploitation of vulnerabilities in web applications, and T1059, covering command and scripting interpreter usage for execution. System administrators should conduct thorough security audits of all WordPress installations, verify plugin versions, and implement monitoring for unusual file operations that could indicate exploitation attempts. Regular security updates and proper access controls remain essential defensive strategies against such vulnerabilities.