simplefilelist CVE Vulnerabilities & Metrics

Focus on simplefilelist vulnerabilities and metrics.

Last updated: 18 May 2025, 22:25 UTC

About simplefilelist Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with simplefilelist. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total simplefilelist CVEs: 8
Earliest CVE date: 13 May 2020, 18:15 UTC
Latest CVE date: 14 Nov 2024, 06:15 UTC

Latest CVE reference: CVE-2024-10146

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical simplefilelist CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.56

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	6
4.0-6.9	1
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS simplefilelist CVEs

These are the five CVEs with the highest CVSS scores for simplefilelist, sorted by severity first and recency.

CVE-2020-12832 simplefilelist Published on 13 May 2020, 18:15 UTC (CVSS: 7.5)
WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.
CVE-2022-1119 simplefilelist Published on 19 Apr 2022, 21:15 UTC (CVSS: 5.0)
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
CVE-2024-10146 simplefilelist Published on 14 Nov 2024, 06:15 UTC (CVSS: 0)
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.
CVE-2023-39924 simplefilelist Published on 25 Oct 2023, 18:17 UTC (CVSS: 0)
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.
CVE-2023-1025 simplefilelist Published on 27 Mar 2023, 16:15 UTC (CVSS: 0)
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

All CVEs for simplefilelist

CVE-2024-10146 simplefilelist vulnerability CVSS: 0 14 Nov 2024, 06:15 UTC

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.

CVE-2023-39924 simplefilelist vulnerability CVSS: 0 25 Oct 2023, 18:17 UTC

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.

CVE-2023-1025 simplefilelist vulnerability CVSS: 0 27 Mar 2023, 16:15 UTC

The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2022-3208 simplefilelist vulnerability CVSS: 0 10 Oct 2022, 21:15 UTC

The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.

CVE-2022-3207 simplefilelist vulnerability CVSS: 0 10 Oct 2022, 21:15 UTC

The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-3062 simplefilelist vulnerability CVSS: 0 26 Sep 2022, 13:15 UTC

The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting

CVE-2022-1119 simplefilelist vulnerability CVSS: 5.0 19 Apr 2022, 21:15 UTC

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.

CVE-2020-12832 simplefilelist vulnerability CVSS: 7.5 13 May 2020, 18:15 UTC

WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.