Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-10146

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
5.4MEDIUM
EPSS
0.9%
top 23.79%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Simple File ListSimplefilelist Simple File List
Timeline
PublishedNov 14

Description

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/simple_file_list< 6.1.13

🔴Vulnerability Details

2
CVEList
Simple File List < 6.1.13 - Reflected Cross-Site Scripting2024-11-14
GHSA
GHSA-c5rh-2mpx-r3x4: The Simple File List WordPress plugin before 62024-11-14

💥Exploits & PoCs

1
Nuclei
Simple File List < 6.1.13 - Reflected Cross-Site Scripting
CVE-2024-10146 (MEDIUM CVSS 5.4) | The Simple File List WordPress plug | cvebase.io