VDB
CVE-2020-36847
CVE-2020-36847
PUBLISHED
CVSS 9.800000190734863 CRITICAL
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
EPSS 89.30% · 99.6th percentile
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
89.30%
99.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| simplefilelist | simple_file_list | 0 |
| eemitch | Simple File List | * |
Timeline
- Dec 3, 2020 PoC Published
- Jul 12, 2025 EPSS Score
- Jul 12, 2025 CVE Published
- Jul 13, 2025 PoC Published
- Jul 21, 2025 EPSS Score
- Jul 23, 2025 PoC Published
- Jul 30, 2025 EPSS Score
- Jul 31, 2025 EPSS Score
- Aug 9, 2025 EPSS Score
- Aug 18, 2025 EPSS Score
- Aug 23, 2025 EPSS Score
- Aug 25, 2025 PoC Published
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=cve url
- https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list url
- https://packetstormsecurity.com/files/160221/ url
- https://www.cybersecurity-help.cz/vdb/SB2020042711 url
- https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/ url
- https://nvd.nist.gov/vuln/detail/CVE-2020-36847 advisory
- https://packetstormsecurity.com/files/160221 url
- https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574 url