A critical remote code execution vulnerability exists in the Simple-File-List Plugin for WordPress. An attacker can exploit this flaw to upload a malicious file and rename it to a PHP script, allowing them to execute arbitrary code on the web server. Successful exploitation would result in a complete compromise of the affected website, potentially leading to data theft, website defacement, and further attacks originating from the compromised server.

The vulnerability exists within the file rename functionality of the plugin. An authenticated attacker, even with low privileges, can upload a file containing malicious PHP code but with a non-executable extension (e.g., .txt or .jpg). The attacker then leverages the vulnerable rename function to change the file's extension to .php. Because the plugin may lack proper validation on the file renaming process, the server is tricked into saving the file as an executable script. The attacker can then access this script via its URL, causing the web server to execute the embedded code and granting the attacker control over the server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful attack would have a severe business impact, leading to a full system compromise. Potential consequences include the theft of sensitive data such as customer information, intellectual property, and financial records stored on the website or its database. An attacker could also use the compromised server to host malware, launch phishing campaigns, or act as a pivot point to attack other systems on the internal network. This can result in significant financial loss, regulatory penalties, reputational damage, and a complete loss of customer trust.

Immediate Action: Immediately update the Simple-File-List plugin to the latest patched version (greater than 4.2.2) to mitigate this vulnerability. After patching, it is crucial to review server access logs and file systems for any signs of prior exploitation.

Proactive Monitoring: System administrators should actively monitor web server access logs for suspicious POST requests to the plugin's administrative functions, particularly those related to file renaming. Scrutinize GET requests for newly created .php files in file upload directories. Implement file integrity monitoring (FIM) to alert on the creation of unauthorized executable files within the web root. Monitor for unusual outbound network traffic from the web server, which could indicate a reverse shell or data exfiltration.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Deploy a Web Application Firewall (WAF) with rules designed to block attempts to rename files to executable extensions.
• Temporarily disable the file upload and rename functionality of the plugin until it can be patched.
• Harden web server configurations to prevent the execution of scripts in the designated upload directories.

Public Exploit Available: True

Given the critical 9.8 CVSS score and the confirmed availability of public exploits, this vulnerability represents an immediate and severe threat to the organization. We strongly recommend that administrators prioritize patching all instances of the Simple-File-List plugin to the latest version without delay. Although this CVE is not currently listed on the CISA KEV catalog, its potential for full remote code execution makes it a prime target for attackers. Due to the high likelihood of active exploitation, organizations should assume compromise if a vulnerable version was in use and initiate incident response procedures to investigate for malicious activity.