CVE-2020-36706
📋 TL;DR
This vulnerability in the Simple:Press WordPress plugin allows attackers to upload arbitrary files to affected WordPress sites due to missing file type validation. Attackers can potentially achieve remote code execution by uploading malicious files like PHP shells. All WordPress sites using Simple:Press plugin versions 6.6.0 and earlier are affected.
💻 Affected Systems
- Simple:Press - WordPress Forum Plugin
📦 What is this software?
Simple\ by Simple Press
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, defacement, malware distribution, or use as part of a botnet.
Likely Case
Website defacement, backdoor installation, credential theft, and data exfiltration.
If Mitigated
Limited impact with proper file upload restrictions and web application firewalls in place.
🎯 Exploit Status
Exploitation requires no authentication and is straightforward due to missing file validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.6.1 and later
Vendor Advisory: https://wordpress.org/plugins/simple-press/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Simple:Press plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 6.6.1+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Simple:Press Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate simple-press
Restrict File Uploads via .htaccess
linuxBlock execution of uploaded files in the uploads directory.
Add to .htaccess in wp-content/uploads: <Files *.php> deny from all </Files>
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file uploads to the vulnerable endpoint.
- Restrict file upload permissions and monitor upload directories for suspicious files.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Simple:Press version. If version is 6.6.0 or lower, you are vulnerable.Check Version:
wp plugin get simple-press --field=versionVerify Fix Applied:
Verify Simple:Press plugin version is 6.6.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/simple-press/admin/resources/jscript/ajaxupload/sf-uploader.php
- File uploads with unusual extensions (.php, .phtml) in upload directories
Network Indicators:
- HTTP POST requests to the vulnerable endpoint with file uploads
- Unusual outbound connections from the WordPress server
SIEM Query:
source="web_logs" AND uri="/wp-content/plugins/simple-press/admin/resources/jscript/ajaxupload/sf-uploader.php" AND method="POST"🔗 References
- https://blog.nintechnet.com/wordpress-simplepress-plugin-fixed-critical-vulnerabilities/
- https://wpscan.com/vulnerability/27d4a8a5-9d81-4b42-92be-3f7d1ef22843
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-simple-press-wordpress-forum-arbitrary-file-upload-6-6-0/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/53eba5b4-7cc0-48e1-bb9c-6ed3207151ab?source=cve
- https://blog.nintechnet.com/wordpress-simplepress-plugin-fixed-critical-vulnerabilities/
- https://wpscan.com/vulnerability/27d4a8a5-9d81-4b42-92be-3f7d1ef22843
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-simple-press-wordpress-forum-arbitrary-file-upload-6-6-0/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/53eba5b4-7cc0-48e1-bb9c-6ed3207151ab?source=cve
