Exploitable path traversal flaw exists in the Mitchell Bennis Simple File List WordPress plugin, allowing an attacker to download any file on the web server by manipulating the download parameter. The vulnerability permits disclosure of confidential information (e.g., configuration files, user data, or code) but does not provide arbitrary code execution. The flaw is classed as CWE-22 and has a CVSS score of 6.5, indicating medium severity for confidentiality loss and potential service disruption.

All installations of the Mitchell Bennis Simple File List plugin with versions 6.1.15 and earlier are affected. The vulnerability applies uniformly across all releases in that range, regardless of WordPress version, and is likely present on any WordPress site that has an unpatched instance of the plugin.

The CVSS score of 6.5 reflects significant risk to confidentiality. EPSS indicates a very low probability of real‑world exploitation (<1%), and the flaw is not included in the CISA KEV catalog. Attackers can exploit the flaw remotely from the public internet by issuing a crafted request to the plugin’s file download endpoint; no local privilege or authentication is required if the endpoint is publicly accessible. Because the flaw allows arbitrary file download, it can be used as a data exfiltration vector or to obtain files necessary for subsequent attacks.