Mitchell Bennis Simple File List
Moderate fix1 remedy
cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 4.2.2
Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
WordPress Simple File List Remote Code Execution Vulnerability
Vulnerability
Exploited
Patched
A remote code execution vulnerability exists in the Simple File List WordPress plugin, affecting versions prior to 4.2.3. The issue arises from an unauthenticated arbitrary file upload feature, which allows attackers to upload PHP files disguised as PNG images. Once uploaded, these files can be renamed to use a .php extension and executed on the server.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the context of the web server user.
Reproduction
To reproduce this vulnerability, upload a file containing PHP code through the WordPress Simple File List plugin's file upload feature, using a .png extension. After the file is uploaded, send a request to rename the file to use a .php extension. Once renamed, the PHP code can be executed by accessing the file via the web server.
Remediation
Users are advised to update the Simple File List WordPress plugin to version 4.2.3 or later.
Added: Jul 12, 2025, 10:17 AM
Updated: Jul 12, 2025, 10:17 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
10.0exploitability
10.0remediation
7.7relevance
0.3threat
9.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.