Skip to main content

Simple File List

13 CVEs product

Monthly

CVE-2026-57382 HIGH This Week

Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The scope-changed CVSS vector (S:C) reflects that injected script escapes the plugin's context to affect the broader WordPress site, potentially hijacking authenticated admin sessions. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Simple File List
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-12119 MEDIUM This Month

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.

Authentication Bypass WordPress PHP Simple File List
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-11911 HIGH This Week

Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.

Path Traversal PHP WordPress RCE Simple File List
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-11912 HIGH This Week

Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.

WordPress Authentication Bypass Simple File List
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2020-36847 CRITICAL POC PATCH THREAT Act Now

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions.

PHP WordPress RCE Simple File List
NVD WPScan Exploit-DB
CVSS 3.1
9.8
EPSS
86.1%
Threat
6.0
CVE-2024-10146 MEDIUM POC This Month

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple File List
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2023-39924 MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Simple File List
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-1025 MEDIUM POC This Month

The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple File List
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2022-3208 MEDIUM POC This Month

The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Simple File List
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3207 MEDIUM POC This Month

The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple File List
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-3062 MEDIUM POC THREAT This Month

The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple File List
NVD WPScan
CVSS 3.1
6.1
EPSS
44.1%
CVE-2022-1119 HIGH POC PATCH THREAT Act Now

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 85.8%.

PHP WordPress Path Traversal Simple File List
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
85.8%
Threat
5.6
CVE-2020-12832 CRITICAL POC PATCH Act Now

WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

WordPress Path Traversal Simple File List
NVD
CVSS 3.1
9.8
EPSS
7.1%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The scope-changed CVSS vector (S:C) reflects that injected script escapes the plugin's context to affect the broader WordPress site, potentially hijacking authenticated admin sessions. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Simple File List
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.

Path Traversal PHP WordPress +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.

WordPress Authentication Bypass Simple File List
NVD VulDB
EPSS 86% 6.0 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions.

PHP WordPress RCE +1
NVD WPScan Exploit-DB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple File List
NVD WPScan
EPSS 0% CVSS 4.8
MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Simple File List
NVD
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple File List
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Simple File List
NVD WPScan
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple File List
NVD WPScan
EPSS 44% CVSS 6.1
MEDIUM POC THREAT This Month

The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple File List
NVD WPScan
EPSS 86% 5.6 CVSS 7.5
HIGH POC PATCH THREAT Act Now

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 85.8%.

PHP WordPress Path Traversal +1
NVD WPScan VulDB
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

WordPress Path Traversal Simple File List
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy