CVE-2022-1119

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
Configurations

Configuration 1 (hide)

cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 06:40

Type Values Removed Values Added
References () https://docs.google.com/document/d/1qIZXTzEpI4tO6832vk1KfsSAroT0FY2l--THlhJ8z3c/edit - Exploit, Third Party Advisory () https://docs.google.com/document/d/1qIZXTzEpI4tO6832vk1KfsSAroT0FY2l--THlhJ8z3c/edit - Exploit, Third Party Advisory
References () https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880 - Patch, Third Party Advisory () https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880 - Patch, Third Party Advisory
References () https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606 - Exploit, Third Party Advisory () https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606 - Exploit, Third Party Advisory
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/ff21241d-e488-4460-b8c2-d5a070c8c107?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/ff21241d-e488-4460-b8c2-d5a070c8c107?source=cve -

11 Jan 2024, 09:15

Type Values Removed Values Added
Summary The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7. The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
References
  • {'url': 'https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1119', 'name': 'https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1119', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • () https://www.wordfence.com/threat-intel/vulnerabilities/id/ff21241d-e488-4460-b8c2-d5a070c8c107?source=cve -

Information

Published : 2022-04-19 21:15

Updated : 2024-11-21 06:40


NVD link : CVE-2022-1119

Mitre link : CVE-2022-1119

CVE.ORG link : CVE-2022-1119


JSON object : View

Products Affected

simplefilelist

  • simple-file-list
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')