UnSanitized URLs Lead to Reflected Cross-Site Scripting in Simple File List WordPress Plugin
CVE-2024-10146

Currently unrated

Key Information:

Vendor: Wordpress
Status: Simple File List
Vendor: CVE Published:; 14 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.

Affected Version(s)

Simple File List 0 < 6.1.13

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10146 - Proof of Concept

References

https://wpscan.com/vulnerability/9ee74a0f-83ff-4c15-a114-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Nov 14, 2024
👾
Exploit known to exist
Nov 14, 2024
Vulnerability published
Nov 14, 2024
Vulnerability Reserved
Oct 18, 2024

Credit

tu3n4nh

WPScan