Security Advisory – CVE-2020-12832

Product: Simple File List
Vendor : https://elementengage.com
Vulnerable Version: Simple File List4.2.7
Category: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Vendor Notified: 2020-05-03
Patched: May 11 2020
Researcher(s) : Christian Angel
CVE: 2020-12832

Simple File List is a free plugin that gives your WordPress website a list of your files allowing your users to open and download them. Users can also upload files if you choose. Simple File List is also an alternative to using FTP or Dropbox for larger files.

Summary

WordPress Plugin Simple File List is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.

Proof of Concept

Due to its severe vulnerability, the Proof of Concept can’t be released to the public.

Solution

Update the application to the latest version

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12832

https://plugins.trac.wordpress.org/changeset/2302759

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.