cleantalk
Vulnerabilities and Security Researches

Simple File List, CVE-2025-34085

CVE, Research URL

CVE-2025-34085

Home page URL

Security reports for Simple File List

Application

Simple File List

Published on
Jul 09, 2025
Research Description
An unrestricted file upload vulnerability in the WordPress Simple File List plugin prior to version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. The plugin's upload endpoint (ee-upload-engine.php) restricts file uploads based on extension, but lacks proper validation after file renaming. An attacker can first upload a PHP payload disguised as a .png file, then use the plugin’s ee-file-engine.php rename functionality to change the extension to .php. This bypasses upload restrictions and results in the uploaded payload being executable on the server.
Affected versions
Min -, max 4.2.3.
Status
vulnerable
Previous vulnerability researches
WooCommerce Loyal Customers (CVE-2025-32544) , Apr 15, 2025
New vulnerability
WP Register Profile With Shortcode (CVE-2025-4593) , Jul 13, 2025
Simple File List (CVE-2025-34085) , Jul 13, 2025
Pakke Envíos (CVE-2025-52819) , Jul 13, 2025
Gwolle Guestbook (CVE-2025-5807) , Jul 13, 2025
Tennis Court Bookings (CVE-2025-52787) , Jul 13, 2025