Vulnerabilites related to simplefilelist - simple_file_list
Vulnerability from fkie_nvd
Published
2023-03-27 16:15
Modified
2024-11-21 07:38
Summary
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Impacted products
Vendor Product Version
simplefilelist simple_file_list *



{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:simplefilelist:simple_file_list:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "D553357F-69B1-4EC9-A10D-68405570D05C",
              "versionEndExcluding": "6.0.10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
    }
  ],
  "id": "CVE-2023-1025",
  "lastModified": "2024-11-21T07:38:18.537",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-03-27T16:15:09.433",
  "references": [
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/13621b13-8d31-4214-a665-cb15981f3ec1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/13621b13-8d31-4214-a665-cb15981f3ec1"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-10-25 18:17
Modified
2024-11-21 08:16
Summary
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.
Impacted products
Vendor Product Version
simplefilelist simple_file_list *



{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:simplefilelist:simple_file_list:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "75DF1F89-DCA7-4731-9E55-BC35CF42C77F",
              "versionEndIncluding": "6.1.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin \u003c=\u00a06.1.9 versions."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado autenticado (con permisos de admin o superiores) en el complemento Mitchell Bennis Simple File List en versiones \u0026lt;= 6.1.9."
    }
  ],
  "id": "CVE-2023-39924",
  "lastModified": "2024-11-21T08:16:03.057",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 3.7,
        "source": "audit@patchstack.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-25T18:17:29.753",
  "references": [
    {
      "source": "audit@patchstack.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://patchstack.com/database/vulnerability/simple-file-list/wordpress-simple-file-list-plugin-6-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://patchstack.com/database/vulnerability/simple-file-list/wordpress-simple-file-list-plugin-6-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
    }
  ],
  "sourceIdentifier": "audit@patchstack.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "audit@patchstack.com",
      "type": "Primary"
    }
  ]
}

cve-2023-39924
Vulnerability from cvelistv5
Published
2023-10-24 11:51
Modified
2024-09-09 14:45
Summary
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:18:10.076Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/simple-file-list/wordpress-simple-file-list-plugin-6-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39924",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-09T14:34:35.638431Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-09T14:45:02.631Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "simple-file-list",
          "product": "Simple File List",
          "vendor": "Mitchell Bennis",
          "versions": [
            {
              "lessThanOrEqual": "6.1.9",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Bae Song Hyun (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;6.1.9 versions.\u003c/span\u003e"
            }
          ],
          "value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin \u003c=\u00a06.1.9 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T11:51:07.312Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/simple-file-list/wordpress-simple-file-list-plugin-6-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Simple File List Plugin \u003c= 6.1.9 is vulnerable to Cross Site Scripting (XSS)",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2023-39924",
    "datePublished": "2023-10-24T11:51:07.312Z",
    "dateReserved": "2023-08-07T12:46:53.219Z",
    "dateUpdated": "2024-09-09T14:45:02.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-1025
Vulnerability from cvelistv5
Published
2023-03-27 15:37
Modified
2024-08-02 05:32
Severity ?
Summary
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
References
https://wpscan.com/vulnerability/13621b13-8d31-4214-a665-cb15981f3ec1exploit, vdb-entry, technical-description
Impacted products
Vendor Product Version
Unknown Simple File List Version: 0   < 6.0.10
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:32:46.453Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "exploit",
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/13621b13-8d31-4214-a665-cb15981f3ec1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "product": "Simple File List",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "6.0.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Shreya Pohekar"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "WPScan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79 Cross-Site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-27T15:37:42.298Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "exploit",
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://wpscan.com/vulnerability/13621b13-8d31-4214-a665-cb15981f3ec1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Simple File List \u003c 6.0.10 - Admin+ Stored XSS",
      "x_generator": {
        "engine": "WPScan CVE Generator"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2023-1025",
    "datePublished": "2023-03-27T15:37:42.298Z",
    "dateReserved": "2023-02-24T19:04:10.457Z",
    "dateUpdated": "2024-08-02T05:32:46.453Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}