CVE-2025-34085 Scanner

The WordPress Simple File List plugin is a widely used add-on within the WordPress ecosystem, helping site administrators manage files through an intuitive interface. It is especially popular among small to medium business website admins who require an easy-to-use file management solution directly within their WordPress dashboards. This plugin facilitates the uploading, creating, and managing of file lists directly on the website. Its features are used to provide downloadable resources, manage document libraries, and enable collaborative file sharing among users and admins. It is compatible with various WordPress themes and integrates seamlessly with sites requiring document management functionalities. Before version 4.2.3, the plugin is vulnerable to a remote code execution flaw, thus posing significant risks to site security if not updated.

The remote code execution vulnerability in WordPress Simple File List allows unauthenticated attackers to execute arbitrary code on the server where the plugin is deployed. This issue arises from improper validation of files uploaded through the plugin's file management endpoint, particularly the "ee-upload-engine.php" script. Attackers can upload files with arbitrary extensions at first, bypass the lack of extension validation by renaming them, and execute harmful payloads. As this flaw enables execution on the server, it can lead to complete takeover by a malicious entity. Versions vulnerable to this exploit can permit execution of unauthorized PHP scripts resulting from unsafe file processing methods in the plugin. It underscores the need for stringent validation mechanisms in web applications involving file uploads.

Technical details reveal that the vulnerability in question allows improperly validated file uploads to occur within the WordPress Simple File List plugin. The plugin permits uploads by uploading them to a specific endpoint, but the system lacks robust checks post-upload. Attackers exploit the "ee-upload-engine.php" endpoint, where they disguise a PHP payload as a .png image file. Subsequent requests to "ee-file-engine.php" facilitate changing the uploaded file's extension to .php, bypassing any initial upload restrictions. Once renamed, their payload executes on the underlying server, enabling remote control or extraction of sensitive information. Intercepting file types at this administration-level functionality reveals critical gaps in the plugin's security.

Exploitation of this remote code execution vulnerability by malicious users can lead to several detrimental effects, including unauthorized access to the entire server. Successfully executed payloads could allow attackers to alter website data, inject malicious scripts, or gain access to sensitive files and databases. Potentially, this flaw could also allow attackers to install backdoors, launch further attacks on internal network components, or disrupt normal operations. Website defacement, denial of service through resource exhaustion, and escalation of conditional access privileges are plausible when this vulnerability is exploited. Site owners could also be subject to data breach notifications or legal implications due to compromised user information.

REFERENCES

• https://wpscan.com/vulnerability/10192
• https://github.com/advisories/GHSA-8xp7-p66p-4h9h
• https://nvd.nist.gov/vuln/detail/CVE-2025-34085