Vulnerabilities and security researches forsimple-file-list simple-file-list

Jun 07, 2024

CVE, Research URL: CVE-2022-1119
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Apr 20, 2022
Research Description: The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
Affected versions: max 3.2.5.
Status: vulnerable

CVE, Research URL: CVE-2020-12832
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: May 13, 2020
Research Description: WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.
Affected versions: max 4.2.8.
Status: vulnerable

CVE, Research URL: CVE-2022-3207
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Oct 11, 2022
Research Description: The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 4.4.12.
Status: vulnerable

CVE, Research URL: CVE-2023-44227
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Apr 17, 2024
Research Description: Missing Authorization vulnerability in Mitchell Bennis Simple File List.This issue affects Simple File List: from n/a through 6.1.9.
Affected versions: max 6.1.10.
Status: vulnerable

CVE, Research URL: CVE-2023-39924
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Oct 25, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.
Affected versions: max 6.1.10.
Status: vulnerable

CVE, Research URL: CVE-2022-3208
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Oct 11, 2022
Research Description: The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.
Affected versions: max 4.4.13.
Status: vulnerable

CVE, Research URL: CVE-2022-3062
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Sep 26, 2022
Research Description: The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
Affected versions: max 3.2.5.
Status: vulnerable

CVE, Research URL: CVE-2023-1025
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Mar 27, 2023
Research Description: The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 3.2.8.
Status: vulnerable

Nov 15, 2024

CVE, Research URL: CVE-2024-10146
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Nov 14, 2024
Research Description: The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.
Affected versions: max 6.1.13.
Status: vulnerable

May 09, 2025

CVE, Research URL: CVE-2025-47450
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: May 07, 2025
Research Description: Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple File List: from n/a through <= 6.1.13.
Affected versions: max 6.1.14.
Status: vulnerable

Jul 13, 2025

CVE, Research URL: -
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Jul 09, 2025
Research Description: Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2020-36847.
Affected versions: max 4.2.3.
Status: vulnerable

Aug 07, 2025

CVE, Research URL: CVE-2025-54021
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Aug 20, 2025
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.14.
Affected versions: max 6.1.15.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-68591
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Dec 24, 2025
Research Description: Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple File List: from n/a through <= 6.1.18.
Affected versions: max 6.1.18.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2026-24953
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Feb 20, 2026
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15.
Affected versions: max 6.1.16.
Status: vulnerable

Jun 13, 2026

CVE, Research URL: CVE-2020-36847
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Jul 12, 2025
Research Description: The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.
Affected versions: max 4.2.3.
Status: vulnerable