Simplefilelist

simplefilelist

9 CVEs • 1 product

Products (1)

Click to collapse

Toggle

Simple File List

simple-file-list

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-36847 1Simplefilelist 1Simple File List Jul 29, 2025 Jul 12, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a...Show more The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server.Show less
CVE-2024-10146 1Simplefilelist 1Simple File List May 15, 2025 Nov 14, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.
CVE-2023-39924 1Simplefilelist 1Simple File List Nov 21, 2024 Oct 25, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.
CVE-2023-1025 1Simplefilelist 1Simple File List Feb 26, 2025 Mar 27, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unf...Show more The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).Show less
CVE-2022-3208 1Simplefilelist 1Simple File List Nov 21, 2024 Oct 10, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.
CVE-2022-3207 1Simplefilelist 1Simple File List Nov 21, 2024 Oct 10, 2022 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unf...Show more The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)Show less
CVE-2022-3062 1Simplefilelist 1Simple File List May 22, 2025 Sep 26, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
CVE-2022-1119 1Simplefilelist 1Simple File List Apr 8, 2026 Apr 19, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attac...Show more The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.Show less
CVE-2020-12832 1Simplefilelist 1Simple File List Nov 21, 2024 May 13, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.