CVE-2020-36847
Published: 12 July 2025
Summary
CVE-2020-36847 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Simplefilelist Simple File List. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Simple-File-List Plugin for WordPress, in versions up to and including 4.2.2, is vulnerable to remote code execution (CVE-2020-36847, CWE-434). The issue stems from the plugin's rename function, which enables attackers to rename uploaded files containing PHP code—initially disguised with a .png extension—to a .php extension, allowing execution of the malicious code on the server. This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely without user interaction. By uploading a PHP payload masquerading as an image and then leveraging the rename function, they gain the ability to execute arbitrary code on the affected WordPress server, potentially leading to full server compromise, data theft, or further lateral movement.
Advisories from sources including WPScan, Wordfence, Packet Storm, and Cybersecurity-Help detail the vulnerability, while the WordPress plugin trac changeset 2286920 provides the patch fixing the issue in later versions. Security practitioners should urge users to update the Simple-File-List Plugin beyond version 4.2.2 to mitigate exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30797
Vulnerability details
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension.…
more
This allows unauthenticated attackers to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated file upload+rename in public WordPress plugin enables T1190 initial access and T1505.003 web shell deployment/execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely patching of the flawed rename function in the Simple-File-List plugin to prevent RCE from uploaded PHP code.
Enforces validation of file content, extensions, and types during upload and rename operations to block execution of PHP code disguised as PNG files.
Restricts file rename inputs to authorized types and extensions, preventing attackers from changing .png to .php for code execution.