CVE-2020-36847 is a remote code execution vulnerability in the Simple File List plugin for WordPress affecting versions up to and including 4.2.2. The flaw is in the plugin's rename functionality and allows an attacker to take uploaded PHP code that was initially stored with a non-executable image extension, such as PNG, and rename it to use a PHP extension. This bypasses the intended restriction on executable uploads and results in arbitrary server-side code execution. The issue is exploitable without authentication.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository contains a Python proof-of-concept exploit targeting a WordPress plugin vulnerability in Simple File List that enables arbitrary file upload leading to RCE. Structure: (1) README.md explains the attack chain (upload disguised as .png, rename to .php, then access in uploads) and usage with a target list; (2) exploit.py is the main script; (3) list.txt is a sample input list; (4) shells_found.txt is an output log. Exploit flow in exploit.py: it normalizes each target URL (adds scheme and trailing slash), then for each target uses requests to POST a multipart upload to /wp-content/plugins/simple-file-list/ee-upload-engine.php with filename pwn.png but content set to a PHP payload. It then POSTs to /wp-content/plugins/simple-file-list/ee-file-engine.php with parameters oldFile/newFile to rename the uploaded file to .php. Finally it constructs the expected public URL under /wp-content/uploads/simple-file-list/<newfile> and performs an HTTP GET to confirm a 200 response; successful URLs are appended to shells_found.txt. The script is multi-target and parallelized using ThreadPoolExecutor with 100 workers, and disables TLS verification (verify=False), making it suitable for scanning/exploitation across many hosts.
Repository contains a Python3 exploit (exploit.py) and a README describing CVE-2025-34085 (rejected duplicate of CVE-2020-36847) affecting the WordPress Simple File List plugin <= 4.2.2. The exploit performs unauthenticated RCE by (1) POSTing a multipart upload to /wp-content/plugins/simple-file-list/ee-upload-engine.php with a PHP payload masquerading as an image (filename random .png), then (2) POSTing to /wp-content/plugins/simple-file-list/ee-file-engine.php to rename the uploaded file to a PHP extension (tries php, phtml, php5, php3), and (3) GET requesting the resulting URL under /wp-content/uploads/simple-file-list/ to execute commands. It supports single-target mode (-u/--url) and mass scanning via targets.txt using a ThreadPoolExecutor (20 threads). Payload behavior is configurable: default drops a persistent webshell using system($_GET['cmd']) and executes the provided --cmd via ?cmd=; --inline embeds the command directly in the PHP file and triggers it with a plain GET (useful for reverse shells or query-string filtering). Successful exploitation is logged to vuln.txt with the shell URL and command output. The script disables TLS verification (verify=False) and uses basic headers (User-Agent/Accept) plus Referer/Origin for the upload request.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in Simple File List; the article clarifies that CVE-2025-34085 is a rejected duplicate and CVE-2020-36847 is the valid identifier.
A publicly known vulnerability affecting the Simple File List WordPress plugin that is being exploited in a large-scale campaign targeting CMS platforms for webshell deployment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.