{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24953", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.518Z", "datePublished": "2026-02-20T15:47:08.637Z", "dateUpdated": "2026-04-28T16:14:51.277Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-file-list", "product": "Simple File List", "vendor": "Mitchell Bennis", "versions": [{"changes": [{"at": "6.1.16", "status": "unaffected"}], "lessThanOrEqual": "6.1.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:56.710Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.<p>This issue affects Simple File List: from n/a through <= 6.1.15.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.277Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-arbitrary-file-download-vulnerability?_s_id=cve"}], "title": "WordPress Simple File List plugin <= 6.1.15 - Arbitrary File Download vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T20:58:00.759880Z", "id": "CVE-2026-24953", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:49:57.361Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24953", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.518Z", "datePublished": "2026-02-20T15:47:08.637Z", "dateUpdated": "2026-04-28T14:49:57.361Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-file-list", "product": "Simple File List", "vendor": "Mitchell Bennis", "versions": [{"changes": [{"at": "6.1.16", "status": "unaffected"}], "lessThanOrEqual": "6.1.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:30.132Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.<p>This issue affects Simple File List: from n/a through <= 6.1.15.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:47.083Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-arbitrary-file-download-vulnerability?_s_id=cve"}], "title": "WordPress Simple File List plugin <= 6.1.15 - Arbitrary File Download vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24953", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T20:58:00.759880Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:58:14.384Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15."}, {"lang": "es", "value": "Vulnerabilidad de Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') en Mitchell Bennis Simple File List simple-file-list permite Salto de Ruta. Este problema afecta a Simple File List: desde n/a hasta &lt;= 6.1.15."}], "id": "CVE-2026-24953", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:39.547", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-arbitrary-file-download-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.1.15]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Simple File List", "source": "cna", "vendor": "Mitchell Bennis"}, "product": "simple_file_list", "vendor": "mitchell_bennis"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:57:45.890375+00:00", "value": {"mitigation_remediation": ["Upgrade Mitchell Bennis Simple File List to version 6.1.16 or later to patch the path traversal flaw.", "If an immediate upgrade is not possible, disable the plugin\u2019s file download functionality or remove the plugin entirely to eliminate the vulnerable endpoint.", "Ensure the web server\u2019s file system permissions restrict read access to sensitive directories, and employ server\u2011side access controls (.htaccess, Nginx allow/deny) to prevent the plugin from serving files outside its intended scope."], "summary": {"action": "Apply patch", "impact": "Arbitrary file download via path traversal"}, "threat_synthesis": {"affected_systems": "All installations of the Mitchell Bennis Simple File List plugin with versions 6.1.15 and earlier are affected. The vulnerability applies uniformly across all releases in that range, regardless of WordPress version, and is likely present on any WordPress site that has an unpatched instance of the plugin.", "description_and_impact": "Exploitable path traversal flaw exists in the Mitchell Bennis Simple File List WordPress plugin, allowing an attacker to download any file on the web server by manipulating the download parameter. The vulnerability permits disclosure of confidential information (e.g., configuration files, user data, or code) but does not provide arbitrary code execution. The flaw is classed as CWE-22 and has a CVSS score of 6.5, indicating medium severity for confidentiality loss and potential service disruption.", "risk_and_exploitability": "The CVSS score of 6.5 reflects significant risk to confidentiality. EPSS indicates a very low probability of real\u2011world exploitation (<1%), and the flaw is not included in the CISA KEV catalog. Attackers can exploit the flaw remotely from the public internet by issuing a crafted request to the plugin\u2019s file download endpoint; no local privilege or authentication is required if the endpoint is publicly accessible. Because the flaw allows arbitrary file download, it can be used as a data exfiltration vector or to obtain files necessary for subsequent attacks."}}}}, "created": "2026-02-23T14:35:51.540590+00:00", "updated": "2026-04-16T00:00:14.157737+00:00", "vendors": ["mitchell_bennis", "mitchell_bennis$PRODUCT$simple_file_list", "wordpress", "wordpress$PRODUCT$wordpress"]}