CVE-2020-36847
📋 TL;DR
This vulnerability allows unauthenticated attackers to rename uploaded PHP files with .png extensions to .php extensions, enabling remote code execution on WordPress servers. It affects Simple-File-List Plugin versions up to and including 4.2.2. Any WordPress site using the vulnerable plugin is at risk of complete server compromise.
💻 Affected Systems
- WordPress Simple-File-List Plugin
📦 What is this software?
Simple File List by Simplefilelist
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full control, installing backdoors, stealing data, and using the server for further attacks.
Likely Case
Website defacement, data theft, malware deployment, and use as a foothold for lateral movement within the network.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place, though risk remains significant.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.3 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Simple-File-List and click 'Update Now'. 4. Verify version is 4.2.3 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Simple-File-List plugin until patched
wp plugin deactivate simple-file-list
Restrict File Uploads
allBlock .php file uploads via web server configuration
# Apache: Add to .htaccess
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.php$ {
deny all;
}
🧯 If You Can't Patch
- Immediately disable the Simple-File-List plugin
- Implement web application firewall rules to block requests to rename.php endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Simple-File-List. If version is 4.2.2 or lower, you are vulnerable.Check Version:
wp plugin get simple-file-list --field=versionVerify Fix Applied:
Verify plugin version is 4.2.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/simple-file-list/includes/ee-upload-engine.php with rename parameters
- File rename operations from .png to .php extensions in upload directories
Network Indicators:
- Unusual outbound connections from web server following file rename operations
- Traffic patterns matching known exploit payloads
SIEM Query:
source="web_logs" AND (uri="*ee-upload-engine.php*" AND method="POST" AND params="*rename*" AND params="*.png*" AND params="*.php*")🔗 References
- https://packetstormsecurity.com/files/160221/
- https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list
- https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/
- https://www.cybersecurity-help.cz/vdb/SB2020042711
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=cve
- https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574/
