Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.14.
Published: 2025-08-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple File List plugin for WordPress contains a path traversal (CWE-22) flaw that allows an attacker to request files outside the intended plugin directory. Because the plugin does not validate or restrict requested paths, an adversary can craft HTTP requests to download any file that the WordPress process can read on the server. The vulnerability can therefore be used to exfiltrate sensitive configuration files or personal data, leading to confidentiality loss.

Affected Systems

WordPress sites that have the Simple File List plugin installed with a version of 6.1.14 or earlier are vulnerable. The flaw spans all releases from the initial release through 6.1.14, affecting any WordPress installation that has enabled the plugin and has the download endpoint exposed.

Risk and Exploitability

The CVSS score of 7.5 represents high severity. EPSS is reported as less than 1%, indicating that exploitation attempts are currently rare and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker needs only to construct a malicious URL targeting the plugin’s download functionality, and if successful, will gain read access to arbitrary files on the hosting machine.

Generated by OpenCVE AI on April 30, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple File List plugin to the latest available version that addresses the path traversal issue.
  • If an immediate upgrade cannot be performed, permanently disable or uninstall the plugin to eliminate the exposure.
  • Configure the web server or WordPress file permissions to restrict the Simple File List plugin to a dedicated directory and verify that all file path inputs are sanitized against traversal patterns in accordance with CWE‑22 best practices.

Generated by OpenCVE AI on April 30, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28548 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List allows Path Traversal. This issue affects Simple File List: from n/a through 6.1.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List allows Path Traversal. This issue affects Simple File List: from n/a through 6.1.14. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.14.
Title WordPress Simple File List <= 6.1.14 - Arbitrary File Download Vulnerability WordPress Simple File List plugin <= 6.1.14 - Arbitrary File Download vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List allows Path Traversal. This issue affects Simple File List: from n/a through 6.1.14.
Title WordPress Simple File List <= 6.1.14 - Arbitrary File Download Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:28.810Z

Reserved: 2025-07-16T08:51:37.993Z

Link: CVE-2025-54021

cve-icon Vulnrichment

Updated: 2025-08-20T13:55:19.704Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:46.033

Modified: 2026-04-23T15:32:42.997

Link: CVE-2025-54021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:15:06Z

Weaknesses