Simple File List
by WordPress
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-12832 | Cri | 0.64 | 9.8 | 0.07 | May 13, 2020 | WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. | ||
| CVE-2020-36847 | Cri | 0.61 | 9.8 | 0.13 | Jul 12, 2025 | The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to… | ||
| CVE-2022-1119 | Hig | 0.50 | 7.5 | 0.20 | Apr 19, 2022 | The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be… | ||
| CVE-2023-44227 | Hig | 0.49 | 7.5 | 0.01 | Apr 17, 2024 | Missing Authorization vulnerability in Mitchell Bennis Simple File List.This issue affects Simple File List: from n/a through 6.1.9. | ||
| CVE-2022-3062 | Med | 0.43 | 6.1 | 0.44 | Sep 26, 2022 | The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | ||
| CVE-2022-3208 | Med | 0.42 | 6.5 | 0.00 | Oct 10, 2022 | The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack. | ||
| CVE-2023-39924 | Med | 0.38 | 5.9 | 0.00 | Oct 25, 2023 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions. | ||
| CVE-2025-68591 | Med | 0.35 | 5.4 | 0.00 | Dec 24, 2025 | Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple File List: from n/a through <= 6.1.18. | ||
| CVE-2024-10146 | Med | 0.35 | 5.4 | 0.01 | Nov 14, 2024 | The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins. | ||
| CVE-2023-4514 | Med | 0.35 | 5.4 | 0.00 | Nov 27, 2023 | The Mmm Simple File List WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site… | ||
| CVE-2025-47450 | Med | 0.34 | 5.3 | 0.00 | May 7, 2025 | Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple File List: from n/a through <= 6.1.13. | ||
| CVE-2023-1025 | Med | 0.31 | 4.8 | 0.00 | Mar 27, 2023 | The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… | ||
| CVE-2022-3207 | Med | 0.31 | 4.8 | 0.00 | Oct 10, 2022 | The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… | ||
| CVE-2023-4297 | Med | 0.28 | 4.3 | 0.01 | Nov 27, 2023 | The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories. | ||
| CVE-2026-12119 | 0.00 | — | 0.00 | Jun 20, 2026 | The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with… | |||
| CVE-2026-11911 | 0.00 | — | 0.01 | Jun 20, 2026 | The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary… | |||
| CVE-2026-11912 | 0.00 | — | 0.00 | Jun 20, 2026 | The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This… |
- risk 0.64cvss 9.8epss 0.07
WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.
- risk 0.61cvss 9.8epss 0.13
The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to…
- risk 0.50cvss 7.5epss 0.20
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be…
- risk 0.49cvss 7.5epss 0.01
Missing Authorization vulnerability in Mitchell Bennis Simple File List.This issue affects Simple File List: from n/a through 6.1.9.
- risk 0.43cvss 6.1epss 0.44
The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
- risk 0.42cvss 6.5epss 0.00
The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.
- risk 0.38cvss 5.9epss 0.00
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.
- risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple File List: from n/a through <= 6.1.18.
- risk 0.35cvss 5.4epss 0.01
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.
- risk 0.35cvss 5.4epss 0.00
The Mmm Simple File List WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site…
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple File List: from n/a through <= 6.1.13.
- risk 0.31cvss 4.8epss 0.00
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…
- risk 0.31cvss 4.8epss 0.00
The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…
- risk 0.28cvss 4.3epss 0.01
The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories.
- CVE-2026-12119Jun 20, 2026risk 0.00cvss —epss 0.00
The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with…
- CVE-2026-11911Jun 20, 2026risk 0.00cvss —epss 0.01
The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary…
- CVE-2026-11912Jun 20, 2026risk 0.00cvss —epss 0.00
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This…