CVE-2025-34085 is a rejected CVE record. It was withdrawn by the CVE Numbering Authority because it is a duplicate of CVE-2020-36847. References to CVE-2025-34085 in reporting about exploitation of the Simple File List WordPress plugin should be mapped to CVE-2020-36847 instead. No separate vulnerability definition should be maintained for CVE-2025-34085.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
6 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a Python3 exploit (exploit.py) and a README describing CVE-2025-34085 (rejected duplicate of CVE-2020-36847) affecting the WordPress Simple File List plugin <= 4.2.2. The exploit performs unauthenticated RCE by (1) POSTing a multipart upload to /wp-content/plugins/simple-file-list/ee-upload-engine.php with a PHP payload masquerading as an image (filename random .png), then (2) POSTing to /wp-content/plugins/simple-file-list/ee-file-engine.php to rename the uploaded file to a PHP extension (tries php, phtml, php5, php3), and (3) GET requesting the resulting URL under /wp-content/uploads/simple-file-list/ to execute commands. It supports single-target mode (-u/--url) and mass scanning via targets.txt using a ThreadPoolExecutor (20 threads). Payload behavior is configurable: default drops a persistent webshell using system($_GET['cmd']) and executes the provided --cmd via ?cmd=; --inline embeds the command directly in the PHP file and triggers it with a plain GET (useful for reverse shells or query-string filtering). Successful exploitation is logged to vuln.txt with the shell URL and command output. The script disables TLS verification (verify=False) and uses basic headers (User-Agent/Accept) plus Referer/Origin for the upload request.
This repository contains a working exploit for CVE-2025-34085, a critical unauthenticated remote code execution vulnerability in the Simple File List WordPress plugin (versions prior to 4.2.3). The exploit is implemented in a single Python script (CVE-2025-34085.py) and is accompanied by a detailed README.md explaining the vulnerability, exploitation steps, and mitigation advice. The exploit works by uploading a PHP payload disguised as a PNG image to the vulnerable 'ee-upload-engine.php' endpoint, then renaming it to a PHP extension using 'ee-file-engine.php'. The attacker can then access the uploaded shell and execute arbitrary commands on the server, either via a GET parameter or inline, depending on user input. The script supports both single-target and mass exploitation via multithreading. Key endpoints targeted by the exploit are: - /wp-content/plugins/simple-file-list/ee-upload-engine.php (for file upload) - /wp-content/plugins/simple-file-list/ee-file-engine.php (for file renaming) - /wp-content/uploads/simple-file-list/ (for shell access) The exploit is operational, providing a real web shell and command execution capability. The README confirms the vulnerability is real and actively exploited, though the CVE was marked as a duplicate of a prior issue. The repository is well-structured, with clear usage instructions and mitigation advice.
This repository contains an operational exploit for CVE-2025-34085, a critical unauthenticated remote code execution vulnerability in the WordPress Simple File List plugin. The exploit is implemented in Python (main.py) and automates the process of uploading a malicious PHP payload to the vulnerable plugin's upload endpoint, renaming the file to a .php extension via a second endpoint, and then executing arbitrary commands on the compromised server. The tool supports both single and mass exploitation (via targets.txt), includes multithreading for efficiency, and features automatic URL cleaning and result logging. The README provides detailed usage instructions, mitigation advice, and references. The main exploit logic is in main.py, which is the only code file. The exploit targets WordPress sites with the vulnerable plugin and does not require authentication, making it highly impactful if unpatched. The endpoints exploited are clearly fingerprintable and relate directly to the plugin's file handling mechanisms.
This repository contains a Python exploit script (CVE-2025-34085.py) targeting CVE-2025-34085, a critical unauthenticated remote code execution vulnerability in the WordPress Simple File List plugin. The exploit works by uploading a malicious PHP file (web shell) to the plugin's upload endpoint, then renaming it to a PHP extension using the rename endpoint, and finally executing arbitrary commands via HTTP requests to the shell. The script supports both single and multiple target modes, is multithreaded for efficiency, and logs successful exploits to 'vuln.txt'. The main endpoints targeted are '/wp-content/plugins/simple-file-list/ee-upload-engine.php' for uploads, '/wp-content/plugins/simple-file-list/ee-file-engine.php' for renaming, and the shell is placed in '/wp-content/uploads/simple-file-list/'. The repository is structured with the main exploit script, a README with detailed usage and mitigation advice, a LICENSE file, and a .gitignore. The exploit is operational, providing a working web shell payload and command execution capability.
This repository contains a mass-exploitation scanner and exploit for CVE-2025-34085, an unauthenticated remote code execution vulnerability in the WordPress Simple File List plugin. The main script, CVE-2025-34085.py, is a Python tool that reads a list of target domains from targets.txt and attempts to exploit each by uploading a disguised PHP webshell via a vulnerable upload endpoint. It then renames the file to a PHP extension using another vulnerable endpoint and triggers command execution by sending a GET request with a 'cmd' parameter. The exploit is multithreaded for speed and logs successful RCEs to vuln.txt. The payload is a simple PHP webshell that executes arbitrary commands. The repository is structured with a single exploit script, a README with usage and configuration instructions, a license file, and a targets.txt file for input. The exploit is operational and suitable for mass scanning and exploitation of vulnerable WordPress sites.
This repository contains two Python exploit scripts (simple.py and simpleRS.py) targeting CVE-2025-34085, an unauthenticated remote code execution vulnerability in the WordPress Simple File List plugin (versions <= 4.2.3). The exploit works by uploading a PHP file disguised as a .png image, then using a rename operation to change the extension to .php (or similar), and finally triggering the webshell to execute arbitrary commands. The scripts automate the full attack chain: upload, rename (with brute-force for various PHP extensions), and shell trigger. simple.py provides a basic command execution webshell, while simpleRS.py uses an obfuscated PHP reverse shell payload. The attack is fully unauthenticated and leverages specific plugin endpoints for upload and rename. The repository is operational and provides a working exploit with customizable payloads.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A rejected duplicate CVE identifier for the Simple File List vulnerability; the valid identifier is CVE-2020-36847.
A vulnerability in the Simple File List WordPress plugin that was directly targeted in the WP-SHELLSTORM campaign.
A publicly known vulnerability affecting the Simple File List WordPress plugin that is being exploited in a large-scale campaign targeting CMS platforms for webshell deployment.
An arbitrary file upload and rename to remote code execution vulnerability in the WordPress Simple File List plugin used to upload PNG content and rename it to PHP for execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.