Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-20765 | This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2020-36847. |
No reference.
Wed, 16 Jul 2025 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-306 CWE-434 |
|
| References |
|
|
| Metrics |
cvssV4_0
|
Wed, 16 Jul 2025 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | WordPress Simple File List Plugin < 4.2.3 Unauthenticated Remote Code Execution | |
| Metrics |
ssvc
|
Wed, 16 Jul 2025 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An unrestricted file upload vulnerability in the WordPress Simple File List plugin prior to version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. The plugin's upload endpoint (ee-upload-engine.php) restricts file uploads based on extension, but lacks proper validation after file renaming. An attacker can first upload a PHP payload disguised as a .png file, then use the plugin’s ee-file-engine.php rename functionality to change the extension to .php. This bypasses upload restrictions and results in the uploaded payload being executable on the server. | This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2020-36847. |
| Metrics |
cvssV4_0
|
cvssV4_0
|
Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
epss
|
epss
|
Tue, 15 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
epss
|
epss
|
Wed, 09 Jul 2025 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 09 Jul 2025 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An unrestricted file upload vulnerability in the WordPress Simple File List plugin prior to version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. The plugin's upload endpoint (ee-upload-engine.php) restricts file uploads based on extension, but lacks proper validation after file renaming. An attacker can first upload a PHP payload disguised as a .png file, then use the plugin’s ee-file-engine.php rename functionality to change the extension to .php. This bypasses upload restrictions and results in the uploaded payload being executable on the server. | |
| Title | WordPress Simple File List Plugin < 4.2.3 Unauthenticated Remote Code Execution | |
| Weaknesses | CWE-306 CWE-434 |
|
| References |
|
|
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: REJECTED
Assigner: VulnCheck
Published:
Updated: 2025-07-16T15:48:49.693Z
Reserved: 2025-04-15T19:15:22.551Z
Link: CVE-2025-34085
Updated:
Status : Rejected
Published: 2025-07-09T01:15:50.233
Modified: 2025-07-16T16:15:26.130
Link: CVE-2025-34085
No data.
OpenCVE Enrichment
No data.
No weakness.
EUVD