Cyber Resilience

CVE-2020-36847

CriticalPublic PoC

Published: 12 July 2025

Published
12 July 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8930 99.6th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36847 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Simplefilelist Simple File List. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Simple-File-List Plugin for WordPress, in versions up to and including 4.2.2, is vulnerable to remote code execution (CVE-2020-36847, CWE-434). The issue stems from the plugin's rename function, which enables attackers to rename uploaded files containing PHP code—initially disguised with a .png extension—to a .php extension, allowing execution of the malicious code on the server. This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely without user interaction. By uploading a PHP payload masquerading as an image and then leveraging the rename function, they gain the ability to execute arbitrary code on the affected WordPress server, potentially leading to full server compromise, data theft, or further lateral movement.

Advisories from sources including WPScan, Wordfence, Packet Storm, and Cybersecurity-Help detail the vulnerability, while the WordPress plugin trac changeset 2286920 provides the patch fixing the issue in later versions. Security practitioners should urge users to update the Simple-File-List Plugin beyond version 4.2.2 to mitigate exploitation.

EU & UK References

Vulnerability details

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension.…

more

This allows unauthenticated attackers to execute code on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct RCE via unauthenticated file upload+rename in public WordPress plugin enables T1190 initial access and T1505.003 web shell deployment/execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

simplefilelist
simple file list
≤ 4.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching of the flawed rename function in the Simple-File-List plugin to prevent RCE from uploaded PHP code.

prevent

Enforces validation of file content, extensions, and types during upload and rename operations to block execution of PHP code disguised as PNG files.

prevent

Restricts file rename inputs to authorized types and extensions, preventing attackers from changing .png to .php for code execution.

References