CVE-2026-24953
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in Simple File List Allows Unauthorized File Access

Publication date: 2026-02-20

Last updated on: 2026-02-26

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24953
EUVD
EUVD-2026-7488
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mitchell_bennis simple_file_list to 6.1.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to update the Simple File List WordPress plugin to version 6.1.16 or later, where the issue has been patched.

Until the update can be applied, it is recommended to apply Patchstack’s mitigation rules, which can block exploitation attempts targeting this vulnerability.

Also, consider enabling automatic updates for vulnerable plugins to ensure rapid protection against similar issues in the future.

Executive Summary

CVE-2026-24953 is a Path Traversal vulnerability in the Simple File List WordPress plugin (versions up to and including 6.1.15). This vulnerability allows an attacker to bypass access controls and download arbitrary files from the affected website.

Specifically, it enables unauthorized users with only subscriber-level privileges to access sensitive files such as login credentials or backups by exploiting improper limitation of pathnames to restricted directories.

The issue is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a significant risk.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts as it allows attackers to download any file from the affected website without proper authorization.'}, {'type': 'list_item', 'content': 'Exposure of sensitive information such as login credentials.'}, {'type': 'list_item', 'content': 'Access to backup files that may contain confidential data.'}, {'type': 'list_item', 'content': "Potential compromise of the website's security and user data."}, {'type': 'paragraph', 'content': 'Because the exploit requires only subscriber-level privileges, a wide range of attackers can potentially exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'Mitigation involves updating the plugin to version 6.1.16 or later and applying protective rules provided by Patchstack.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with subscriber-level privileges to download arbitrary files from the affected website, including sensitive files. Detection can involve monitoring for unusual file download requests or attempts to access restricted files through the Simple File List plugin.'}, {'type': 'paragraph', 'content': "While specific commands are not provided, network or system administrators can look for suspicious HTTP requests targeting the Simple File List plugin endpoints, especially those attempting path traversal patterns (e.g., requests containing '../' sequences) or accessing files outside the intended directories."}, {'type': 'paragraph', 'content': 'Additionally, applying Patchstack’s mitigation rules can help detect and block exploitation attempts until the plugin is updated.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart