The vulnerability is a missing authorization flaw that allows an attacker to change the settings of the Simple File List plugin without proper permission checks. It is classified as a missing authorization weakness (CWE‑862). An attacker who can reach the plugin’s administration interface can alter configuration values, potentially affecting how files are displayed or logged on a WordPress site. The CVSS score of 5.3 indicates a medium severity impact, as the flaw does not provide direct code execution but can subvert site configuration and policy.

The Simple File List plugin from Mitchell Bennis is affected. Versions from the earliest available installation through version 6.1.13 are vulnerable, with no newer versions included in the current vulnerability data.

The EPSS score of less than 1 % signals a very low probability of real‑world exploitation, and the flaw is not listed in the CISA KEV catalog. Nonetheless, an attacker who gains access to the WordPress site—particularly an authenticated user with administrative or plugin‑management privileges—could manipulate plugin settings by exploiting the lack of proper authorization checks. Because the vulnerability directly impacts configuration, it could lead to unintended site behavior, but does not immediately compromise the underlying server or WordPress core. The risk remains moderate given the CVSS score and the limited exploitation vector.