PT-2022-13669 · WordPress · Simple File List
Admavidhya N
+1
·
Published
2022-04-19
·
Updated
2024-01-11
·
CVE-2022-1119
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Simple File List WordPress plugin versions up to and including 3.2.7
Description
The issue allows unauthenticated attackers to download arbitrary files due to missing controls in the
eeFile parameter found in the ~/includes/ee-downloader.php file. This enables attackers to supply a path to a file that will subsequently be downloaded.Recommendations
For versions up to and including 3.2.7, update to a version that includes the necessary controls for the
eeFile parameter to prevent arbitrary file downloads.
As a temporary workaround, consider restricting access to the ~/includes/ee-downloader.php file until a patch is available.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simple File List