CVE-2025-68591

HIGH
2025-12-24 [email protected]
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
HIGH 8.1

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple File List: from n/a through <= 6.1.18.

Analysis

Missing authorization in Simple File List WordPress plugin 6.1.18 and earlier allows authenticated low-privilege users to bypass access controls and gain unauthorized read/write access to file list data. Tagged as an authentication bypass vulnerability with EPSS score of 0.04% (13th percentile), indicating low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Technical Context

Simple File List is a WordPress plugin for managing and displaying file directories. This vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly validate user permissions before granting access to file management functions. The access control implementation incorrectly allows authenticated users with low-level privileges (such as Subscriber or Contributor roles) to perform actions that should be restricted to higher-privilege roles like Administrator. The CVSS vector indicates network-based exploitation (AV:N) with low attack complexity (AC:L), requiring only low-privilege authentication (PR:L) and no user interaction (UI:N). The vulnerability enables high confidentiality and integrity impacts without affecting availability, suggesting attackers can read sensitive files and modify file list configurations but cannot disrupt service availability.

Affected Products

Mitchell Bennis Simple File List WordPress plugin versions 6.1.18 and all earlier versions are affected by this missing authorization vulnerability. The CPE identifier for this product would follow the pattern cpe:2.3:a:mitchell_bennis:simple-file-list:*:*:*:*:*:wordpress:*:* with version ranges up to and including 6.1.18. The Patchstack reference database indicates version 6.1.15 was specifically analyzed for broken access control issues, suggesting the vulnerability has persisted through multiple releases. All WordPress installations running this plugin should be considered vulnerable until patched.

Remediation

WordPress administrators should immediately update the Simple File List plugin to version 6.1.19 or later if available. Check the official WordPress plugin repository or the vendor's website for the latest patched release addressing this authorization bypass. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-broken-access-control-vulnerability provides additional technical details and may include specific patch information. As an interim mitigation while waiting for patches, administrators should audit WordPress user roles and remove unnecessary low-privilege accounts, restrict plugin access to only trusted administrator accounts, and review file list permissions to ensure sensitive documents are not exposed through the plugin. Consider temporarily disabling the Simple File List plugin if it is not business-critical until a verified patch is deployed.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

CVE-2025-68591 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy