Unrestricted File Upload in WordPress Simple File List Plugin
CVE-2025-34085

10CRITICAL

Key Information:

Vendor

WordPress
Status
Simple File List WordPress Plugin
Vendor
CVE Published:
9 July 2025

Badges

📈 Score: 224👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-34085?

CVE-2025-34085 is a security vulnerability identified in the Simple File List plugin for WordPress, specifically affecting versions prior to 4.2.3. This plugin is designed to facilitate file management within WordPress sites, enabling users to upload and organize files easily. However, the vulnerability allows unauthorized remote attackers to execute arbitrary code on the server by exploiting the plugin’s upload feature. Specifically, the issue arises from inadequate validation of file uploads after renaming, which permits an attacker to upload a malicious PHP file disguised as a different file type, such as a .png. Once uploaded, the attacker can change the file extension to .php, allowing it to be executed, thereby compromising the server and potentially leading to serious security breaches.

Potential impact of CVE-2025-34085

  1. Remote Code Execution: The primary risk associated with this vulnerability is the ability for an attacker to execute arbitrary code on the server. This can allow the attacker to gain full control over the system, leading to unauthorized access to sensitive data, manipulation of site content, or further deployment of malware.

  2. Compromise of User Data: Given that many WordPress installations handle sensitive information, exploitation of this vulnerability could result in the theft or exposure of critical user data, including personal information and credentials, leading to potential identity theft and privacy violations.

  3. Increased Attack Surface for Subsequent Attacks: Successfully exploiting this vulnerability can provide a foothold for attackers, enabling them to deploy additional malicious tools or ransomware. Once embedded in the system, attackers can leverage this access to pivot to other connected systems or applications, significantly broadening their attack potential and increasing the overall risk to the organization.

Affected Version(s)

Simple File List WordPress Plugin * < 4.2.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34085 - Proof of Concept

CVE-2025-34085 - Proof of Concept

CVE-2025-34085
Created by MrjHaxcore

News Articles

favicon imageVulDB

CVE-2025-34085 Element Engage Simple File List Plugin ee-upload-engine.php unrestricted upload

A vulnerability was found in Element Engage Simple File List Plugin up to 4.2.2 on WordPress. It has been classified as critical. This vulnerability is traded as CVE-2025-34085. It is recommended to upgrade the affected component.

1 month ago

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://plugins.trac.wordpress.org/changeset/2286920/simp...
patch
https://www.wordfence.com/threat-intel/vulnerabilities/wo...
third-party-advisory

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by VulDB

  • Vulnerability published

  • Vulnerability Reserved

Credit

coiffeur
.
CVE-2025-34085 : Unrestricted File Upload in WordPress Simple File List Plugin