CVE-2022-1119
🟡 Monitoruj
Luka w wtyczce Simple File List umożliwia nieautoryzowane pobieranie plików.
CVSS
7.5
EPSS
85.8%
Exploit
poc
Vendor
simplefilelist
Opis źródłowy (NVD)
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.5 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 85.8% |
| Opublikowano (NVD) | 2022-04-19 21:15:13 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 19:17:49 UTC |
Referencje
- https://docs.google.com/document/d/1qIZXTzEpI4tO6832vk1KfsSAroT0FY2l--THlhJ8z3c/edit (security@wordfence.com) [Exploit, Third Party Advisory]
- https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880 (security@wordfence.com) [Patch, Third Party Advisory]
- https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606 (security@wordfence.com) [Exploit, Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ff21241d-e488-4460-b8c2-d5a070c8c107?source=cve (security@wordfence.com)