CVE Vulnerability

CVE-2022-1119

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606 Exploit Third Party Advisory
https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880 Patch Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1119 Third Party Advisory
https://docs.google.com/document/d/1qIZXTzEpI4tO6832vk1KfsSAroT0FY2l--THlhJ8z3c/edit Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:*:wordpress:*:*
Information

Published : 2022-04-19 09:15

Updated : 2022-04-27 04:32

NVD link : CVE-2022-1119

Mitre link : CVE-2022-1119

Products Affected
No products.
CWE
CWE-22