Skip to main content

Simple File List CVE-2026-57382

| EUVDEUVD-2026-43457 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS is network-reachable with no privileges but needs victim click (UI:R); script escaping plugin context yields S:C with low C/I/A impacts.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:03 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Reflected XSS.This issue affects Simple File List: from n/a through <= 6.3.8.

AnalysisAI

Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The scope-changed CVSS vector (S:C) reflects that injected script escapes the plugin's context to affect the broader WordPress site, potentially hijacking authenticated admin sessions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with reflected XSS payload
Delivery
Phish admin to click malicious link
Exploit
Script reflected without sanitization
Execution
Execute JavaScript in site origin
Impact
Hijack admin session or act as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to trick a victim into clicking a specially crafted link to the target WordPress site (CVSS UI:R), because the XSS is reflected rather than stored - there is no persistent injection, so a fresh social-engineering delivery is needed for each victim. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, no privileges, but requiring user interaction, with a scope change and low confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL pointing at the vulnerable WordPress site with a malicious script payload embedded in a reflected parameter and delivers it to a site administrator via phishing email or a malicious link. When the admin, already logged in, clicks the link, the script executes in their browser under the site's origin (AC:L, UI:R), allowing session token theft or actions performed as the admin. …
Remediation No vendor-released patch version was identified in the provided data - the advisory states the issue affects the plugin through <= 6.3.8 without naming a fixed release, so administrators should check the WordPress.org plugin page and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-3-8-reflected-cross-site-scripting-xss-vulnerability) for an update newer than 6.3.8 and apply it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all WordPress installations running Simple File List plugin versions 6.3.8 or earlier and disable the plugin immediately to eliminate the attack vector. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2022-1119 HIGH POC
7.5 Apr 19

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/i

CVE-2020-12832 CRITICAL POC
9.8 May 13

WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files be

CVE-2022-3208 MEDIUM POC
6.5 Oct 10

The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make

CVE-2022-3062 MEDIUM POC
6.1 Sep 26

The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes

CVE-2024-10146 MEDIUM POC
5.4 Nov 14

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it ba

CVE-2023-1025 MEDIUM POC
4.8 Mar 27

The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow

CVE-2022-3207 MEDIUM POC
4.8 Oct 10

The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow

CVE-2026-11911 HIGH
7.5 Jun 20

Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) al

CVE-2026-11912 HIGH
7.5 Jun 20

Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) a

CVE-2026-12119 MEDIUM
6.5 Jun 20

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contr

CVE-2023-39924 MEDIUM
4.8 Oct 25

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat

Share

CVE-2026-57382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy