CVE Watchtower


← Back to CVE List

CVE-2020-36847NVD

Vulnerability Summary

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
Severity Level
CRITICAL(9.8)
Published Date
Jul 12, 2025
Last Modified
Jul 29, 2025
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
Data Pending
Root Weakness (CWE)
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh