WordPress Plugin Vulnerabilities

Simple File List < 6.1.14 - Missing Authorization to Unauthenticated Minor Settings Update

Description

The Simple File List plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eeSFL_BASE_Setup() function in all versions up to, and including, 6.1.13. This makes it possible for unauthenticated attackers to set the eeSFL_Lang option to en_US

Affects Plugins

Plugin icon
simple-file-list
Fixed in 6.1.14

References

CVE
CVE-2025-47450
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/207eedfc-8b42-49be-be7a-98da38ad7ee6

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Kévin Mosbahi (Mika)
Verified
No
WPVDB ID
aedab3a9-cf83-4f69-a282-7d1b07176e95

Timeline

Publicly Published
2025-05-07 (about 1 year ago)
Added
2025-05-13 (about 1 year ago)
Last Updated
2025-05-13 (about 1 year ago)

Other

Published
Title
Published
2025-06-19
Title
eDS Responsive Menu <= 1.2 - Missing Authorization
Published
2024-04-22
Title
WP Travel Engine < 5.8.1 - Unauthenticated Price Manipulation
Published
2026-02-18
Title
Virusdie < 1.1.8 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure
Published
2025-08-27
Title
Ajax Search Lite < 4.13.2 - Missing Authorization to Unauthenticated Basic Information Exposure via ASL_Query in AJAX Search Handler
Published
2025-12-20
Title
WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status'