CVE-2020-36847

CRITICAL

Simple-File-List Plugin <4.2.2 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-36847. PoCs published by Md Amanat Ullah (xSwads), ftz7, coiffeur, h00die, including Metasploit module exploits/multi/http/wp_simple_file_list_rce.

AI-analyzed exploit summary This exploit targets a file upload vulnerability in the Simple File List WordPress plugin (CVE-2020-36847), allowing arbitrary file upload and renaming to achieve remote code execution (RCE). It uploads a PHP payload disguised as an image, renames it to a .php file, and verifies execution.

Description

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Exploits (3)

exploitdb WORKING POC
by Md Amanat Ullah (xSwads) · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52371

This exploit targets a file upload vulnerability in the Simple File List WordPress plugin (CVE-2020-36847), allowing arbitrary file upload and renaming to achieve remote code execution (RCE). It uploads a PHP payload disguised as an image, renames it to a .php file, and verifies execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Simple File List WordPress Plugin <= 4.2.2
No auth needed
Prerequisites: Target running vulnerable WordPress plugin · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ftz7 · poc
https://github.com/ftz7/PoC-CVE-2020-36847-WordPress-Plugin-4.2.2-RCE

This repository contains a functional exploit for CVE-2020-36847, an arbitrary file upload vulnerability in the WordPress Simple File List plugin (version 4.2.2). The exploit uploads a malicious PHP file disguised as a PNG, renames it to execute PHP code, and confirms RCE by accessing the uploaded shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Simple File List Plugin <= 4.2.2
No auth needed
Prerequisites: Target running vulnerable WordPress Simple File List plugin · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by coiffeur, h00die · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_simple_file_list_rce.rb

This Metasploit module exploits an unauthenticated file upload vulnerability in the WordPress Simple File List plugin (CVE-2020-36847). It uploads a malicious PHP payload disguised as a PNG file, renames it to a PHP file, and executes it to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Simple File List plugin before 4.2.3
No auth needed
Prerequisites: Target must have the vulnerable WordPress Simple File List plugin installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.1263
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
eemitch/Simple File List < 4.2.3
simplefilelist/simple_file_list < 4.2.3
Published Jul 12, 2025
Tracked Since Feb 18, 2026