CVE-2020-37227: HS Brand Logo Slider Unrestricted File Upload Leads to RCE

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-434
CVE-2020-37227: HS Brand Logo Slider Unrestricted File Upload Leads to RCE

The National Vulnerability Database (NVD) detailed CVE-2020-37227, an unrestricted file upload vulnerability in HS Brand Logo Slider version 2.1. This flaw allows authenticated users to bypass client-side file extension validation. Attackers can intercept upload requests, specifically to the logoupload parameter within the admin interface, and rename files to executable extensions like .php.

This manipulation enables remote code execution (RCE) on the affected system. The NVD assigns a CVSS score of 8.8 (HIGH) to this vulnerability, highlighting its critical impact. The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates that it’s network-exploitable, low complexity, requires low privileges, no user interaction, and provides high confidentiality, integrity, and availability impacts.

While the NVD did not specify affected products beyond ‘HS Brand Logo Slider 2.1’, the underlying CWE-434 (Unrestricted Upload of File with Dangerous Type) is a common and dangerous vulnerability. Defenders should be acutely aware that client-side validation alone is never sufficient for security. Server-side validation is non-negotiable for any file upload functionality.

What This Means For You

  • If your organization uses HS Brand Logo Slider 2.1 or similar plugins, immediately audit all file upload functionalities. Ensure server-side validation is in place to prevent arbitrary file uploads, especially for executable extensions. This is a direct path to RCE for any authenticated user, which can quickly escalate to full system compromise.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Web Shell Execution

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2020-37227: HS Brand Logo Slider Unrestricted File Upload to PHP

Sigma YAML — free preview 
title: CVE-2020-37227: HS Brand Logo Slider Unrestricted File Upload to PHP
id: scw-2026-05-16-ai-1
status: experimental
level: critical
description: |
  Detects the specific unrestricted file upload vulnerability in HS Brand Logo Slider (CVE-2020-37227) by looking for POST requests to the upload endpoint with a PHP extension in the URI, often initiated from the admin interface.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2020-37227/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-content/plugins/hs-brand-logo-slider/upload.php'
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '200'
  selection_indicators:
      uri|contains:
          - '.php'
      referer|contains:
          - '/wp-admin/'
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2020-37227 RCE HS Brand Logo Slider plugin version 2.1
CVE-2020-37227 Unrestricted File Upload Client-side file extension validation bypass
CVE-2020-37227 RCE Vulnerable parameter: logoupload in admin interface
CVE-2020-37227 RCE File rename to .php extension for code execution

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

WordPress Plugin Backup and Restore: Arbitrary File Deletion Exposes Installations

CVE-2021-47979 — WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 2 IOCs /⚙ 4 Sigma

TextPattern CMS RCE via Plugin Upload (CVE-2021-47976)

CVE-2021-47976 — TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload...

vulnerabilityCVEhigh-severityremote-code-executioncwe-352
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma

EgavilanMedia PHPCRUD SQLi Exposes Unauthenticated Data Access

CVE-2021-47956 — EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma