Public RCE Exploit for WordPress Plugin Released
A public remote code execution (RCE) exploit for the WordPress Simple File List plugin is being shared for educational purposes. The exploit provides a practical example of a real-world web application attack vector. Analyzing such exploits is useful for developing skills for CTF challenges and lab practice.
- The vulnerability, identified as CVE-2020-36847, affects versions of the Simple File List plugin up to and including 4.2.2. It allows an unauthenticated attacker to upload a file with a PHP extension disguised as a PNG, and then use the plugin's rename function to change it to a .php file, enabling remote code execution. This flaw is considered critical, with a CVSS score of 9.8, because it can be exploited without any authentication. - WordPress plugins are a significant attack vector, accounting for 97% of all new WordPress security vulnerabilities in 2023. That year, 5,948 new vulnerabilities were discovered in the WordPress ecosystem, a 24% increase from 2022. A concerning 58.9% of these new vulnerabilities did not require authentication for exploitation. - The Simple File List plugin has over 5,000 active installations, and has had a history of other critical vulnerabilities, including unauthenticated arbitrary file deletion and unauthenticated arbitrary file download in newer versions. - For those aspiring to a career in penetration testing, certifications like the CompTIA PenTest+ and Certified Ethical Hacker (CEH) provide a strong foundation in the methodologies used to discover and exploit vulnerabilities like this one. More advanced, hands-on certifications such as the Offensive Security Certified Professional (OSCP) require candidates to demonstrate practical exploitation skills on live machines. - Platforms like Hack The Box and TryHackMe offer virtual labs with vulnerable machines, including many focused on web application exploits similar to the one affecting the Simple File List plugin. These platforms provide a legal and safe environment to practice the techniques used in real-world attacks. - The exploit for CVE-2020-36847 involves a two-step process: first, uploading a malicious PHP file with a ".png" extension to bypass file type checks, and second, sending a request to the server to rename the file to a ".php" extension, making it executable. This technique of bypassing file upload restrictions is a common attack pattern against web applications.
