Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS is network-reachable with no privileges but needs victim click (UI:R); script escaping plugin context yields S:C with low C/I/A impacts.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Reflected XSS.This issue affects Simple File List: from n/a through <= 6.3.8.
AnalysisAI
Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The scope-changed CVSS vector (S:C) reflects that injected script escapes the plugin's context to affect the broader WordPress site, potentially hijacking authenticated admin sessions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to trick a victim into clicking a specially crafted link to the target WordPress site (CVSS UI:R), because the XSS is reflected rather than stored - there is no persistent injection, so a fresh social-engineering delivery is needed for each victim. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, no privileges, but requiring user interaction, with a scope change and low confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL pointing at the vulnerable WordPress site with a malicious script payload embedded in a reflected parameter and delivers it to a site administrator via phishing email or a malicious link. When the admin, already logged in, clicks the link, the script executes in their browser under the site's origin (AC:L, UI:R), allowing session token theft or actions performed as the admin. … |
| Remediation | No vendor-released patch version was identified in the provided data - the advisory states the issue affects the plugin through <= 6.3.8 without naming a fixed release, so administrators should check the WordPress.org plugin page and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-3-8-reflected-cross-site-scripting-xss-vulnerability) for an update newer than 6.3.8 and apply it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress installations running Simple File List plugin versions 6.3.8 or earlier and disable the plugin immediately to eliminate the attack vector. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Simple File List
View allThe Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/i
WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files be
The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make
The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it ba
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow
The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) al
Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) a
Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contr
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43457