WordPress · Simple File List · CVE-2022-1119
**Name of the Vulnerable Software and Affected Versions**
Simple File List WordPress plugin versions up to and including 3.2.7
**Description**
The issue allows unauthenticated attackers to download arbitrary files due to missing controls in the `eeFile` parameter found in the ~/includes/ee-downloader.php file. This enables attackers to supply a path to a file that will subsequently be downloaded.
**Recommendations**
For versions up to and including 3.2.7, update to a version that includes the necessary controls for the `eeFile` parameter to prevent arbitrary file downloads.
As a temporary workaround, consider restricting access to the ~/includes/ee-downloader.php file until a patch is available.