CVE-2026-24953
Path Traversal in Simple File List Allows Unauthorized File Access
Publication date: 2026-02-20
Last updated on: 2026-02-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mitchell_bennis | simple_file_list | to 6.1.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step to mitigate this vulnerability is to update the Simple File List WordPress plugin to version 6.1.16 or later, where the issue has been patched.
Until the update can be applied, it is recommended to apply Patchstackβs mitigation rules, which can block exploitation attempts targeting this vulnerability.
Also, consider enabling automatic updates for vulnerable plugins to ensure rapid protection against similar issues in the future.
Can you explain this vulnerability to me?
CVE-2026-24953 is a Path Traversal vulnerability in the Simple File List WordPress plugin (versions up to and including 6.1.15). This vulnerability allows an attacker to bypass access controls and download arbitrary files from the affected website.
Specifically, it enables unauthorized users with only subscriber-level privileges to access sensitive files such as login credentials or backups by exploiting improper limitation of pathnames to restricted directories.
The issue is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a significant risk.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts as it allows attackers to download any file from the affected website without proper authorization.'}, {'type': 'list_item', 'content': 'Exposure of sensitive information such as login credentials.'}, {'type': 'list_item', 'content': 'Access to backup files that may contain confidential data.'}, {'type': 'list_item', 'content': "Potential compromise of the website's security and user data."}, {'type': 'paragraph', 'content': 'Because the exploit requires only subscriber-level privileges, a wide range of attackers can potentially exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'Mitigation involves updating the plugin to version 6.1.16 or later and applying protective rules provided by Patchstack.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with subscriber-level privileges to download arbitrary files from the affected website, including sensitive files. Detection can involve monitoring for unusual file download requests or attempts to access restricted files through the Simple File List plugin.'}, {'type': 'paragraph', 'content': "While specific commands are not provided, network or system administrators can look for suspicious HTTP requests targeting the Simple File List plugin endpoints, especially those attempting path traversal patterns (e.g., requests containing '../' sequences) or accessing files outside the intended directories."}, {'type': 'paragraph', 'content': 'Additionally, applying Patchstackβs mitigation rules can help detect and block exploitation attempts until the plugin is updated.'}] [1]