CVE-2026-24953

Vulnerability

Overview The Simple File List plugin for WordPress, versions 6.1.15 and earlier, contains a path traversal vulnerability (CWE-22) in its file download functionality. The plugin fails to properly restrict the pathname to a restricted directory, allowing an attacker to traverse outside the intended file directory [1]. This is classified as an Improper Limitation of a Pathname to a Restricted Directory vulnerability.

Exploitation

Details The vulnerability can be exploited remotely without authentication, making it accessible to any unauthenticated attacker. By crafting a malicious request that includes path traversal sequences (e.g., ../), an attacker can escape the plugin's intended file access boundaries and request any file on the server's filesystem [1]. Typical attack campaigns exploit this vulnerability in mass, targeting thousands of websites regardless of their size or popularity.

Impact

Successful exploitation allows an attacker to download arbitrary files from the affected WordPress site. This includes sensitive files such as wp-config.php (which contains database credentials and authentication keys), other PHP files, or any file the web server process can read. The CVSS v3.1 score is 6.5 (Medium), but the advisory notes that this type of vulnerability is frequently leveraged in mass-exploit campaigns [1].

Mitigation

The vulnerability is patched in version 6.1.16 of Simple File List. Users are strongly advised to update immediately. The advisory also notes that Patchstack has issued a mitigation rule to block attacks for those who cannot update right away [1].