CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10146 – Simple File List < 6.1.13 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-10146
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins. • https://wpscan.com/vulnerability/9ee74a0f-83ff-4c15-a114-f8f6baab8bf5 •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39924 – WordPress Simple File List Plugin <= 6.1.9 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-39924
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado autenticado (con permisos de admin o superiores) en el complemento Mitchell Bennis Simple File List en versiones <= 6.1.9. The Simple File List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in versions up to, and including, 6.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/simple-file-list/wordpress-simple-file-list-plugin-6-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44227 – WordPress Simple File List Plugin <= 6.1.9 is vulnerable to Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-44227
Missing Authorization vulnerability in Mitchell Bennis Simple File List.This issue affects Simple File List: from n/a through 6.1.9. Vulnerabilidad de falta de autorización en Mitchell Bennis Simple File List. Este problema afecta a Simple File List: desde n/a hasta 6.1.9. The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including, 6.1.9. This is due to insufficient controls on files passed to a deletion function. • https://github.com/codeb0ss/CVE-2023-44227-PoC https://patchstack.com/database/vulnerability/simple-file-list/wordpress-simple-file-list-plugin-6-1-8-arbitrary-file-deletion?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1025 – Simple File List < 6.0.10 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-1025
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Simple File List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 6.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/13621b13-8d31-4214-a665-cb15981f3ec1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •