Vulnerabilities and security researches forsimple-file-list simple-file-list

May 09, 2025

CVE, Research URL: CVE-2025-47450
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: May 07, 2025
Research Description: Missing Authorization vulnerability in Mitchell Bennis Simple File List allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple File List: from n/a through 6.1.13.
Affected versions: Min -, max -.
Status: vulnerable

Nov 15, 2024

CVE, Research URL: CVE-2024-10146
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Nov 14, 2024
Research Description: The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2022-1119
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Apr 20, 2022
Research Description: The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2020-12832
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: May 13, 2020
Research Description: WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3207
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Oct 11, 2022
Research Description: The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-44227
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Apr 17, 2024
Research Description: Missing Authorization vulnerability in Mitchell Bennis Simple File List.This issue affects Simple File List: from n/a through 6.1.9.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-39924
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Oct 25, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3208
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Oct 11, 2022
Research Description: The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3062
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Sep 26, 2022
Research Description: The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-1025
Home page URL: Security reports for Simple File List
Application: Simple File List
Date: Mar 27, 2023
Research Description: The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: Min -, max -.
Status: vulnerable