CVE-2025-47450

Vulnerability

Overview The Simple File List WordPress plugin versions up to and including 6.1.13 contain a missing authorization vulnerability [1]. This occurs because the plugin fails to properly validate access control security levels when processing certain requests, effectively exposing administrative actions to unauthenticated users.

Exploitation

Conditions An attacker can exploit this weakness remotely without needing any prior authentication or special network position. The vulnerability is triggered by sending crafted HTTP requests to the plugin's endpoints that should normally require administrator-level privileges. The lack of proper capability or nonce checks allows unauthorized modifications to the plugin's settings [1].

Impact

Successful exploitation enables an attacker to alter the plugin's configuration, potentially leading to unintended file exposure, denial of service, or further compromise of the WordPress instance. Due to the low complexity and no authentication requirement, this vulnerability is particularly dangerous and has been observed in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

Users are strongly advised to update the Simple File List plugin to a patched version immediately. If updating is not possible, consulting with hosting providers or web developers for alternative protective measures is recommended [1].