CVE-2020-36847

Q: What is CVE-2020-36847?

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Q: Is CVE-2020-36847 actively exploited?

A proof-of-concept exploit exists for CVE-2020-36847, but active exploitation has not been confirmed at this time.

Q: What is the CVSS score for CVE-2020-36847?

CVE-2020-36847 has a CVSS v3 base score of 9.8 (CRITICAL severity), with vector string 3.1.

CRITICAL

Simple File List < 4.2.3 - Remote Code Execution

CVSS v3

9.8

CRITICAL

EPSS Score

89.3%

exploit probability

CISA KEV

known exploited

Exploitation

poc

SSVC status

Description

The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.

Technical Details

CVSS v3 Vector: 3.1
Published: 7/12/2025
Last Modified: 7/29/2025
Exploit-DB: EDB-52371

Frequently Asked Questions

What is CVE-2020-36847?

Is CVE-2020-36847 actively exploited?

A proof-of-concept exploit exists for CVE-2020-36847, but active exploitation has not been confirmed at this time.

What is the CVSS score for CVE-2020-36847?

CVE-2020-36847 has a CVSS v3 base score of 9.8 (CRITICAL severity), with vector string 3.1.

Is CVE-2020-36847 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.

Check an IP Search CVEs

Back to CVE Database