CVE-2022-1119
📋 TL;DR
This vulnerability allows unauthenticated attackers to download arbitrary files from WordPress servers running the Simple File List plugin. Attackers can exploit the missing path validation in the ee-downloader.php file to access sensitive system files. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Simple File List WordPress Plugin
📦 What is this software?
Simple File List by Simplefilelist
⚠️ Risk & Real-World Impact
Worst Case
Attackers download wp-config.php containing database credentials, SSH keys, password files, or other sensitive system files, leading to complete server compromise.
Likely Case
Attackers download WordPress configuration files, plugin files, or other web-accessible sensitive data, potentially enabling further attacks or data theft.
If Mitigated
With proper file permission controls, attackers can only access publicly readable files, limiting damage to already accessible content.
🎯 Exploit Status
Exploitation requires only a crafted HTTP request to the vulnerable endpoint with the eeFile parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8
Vendor Advisory: https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Simple File List and click 'Update Now'. 4. Verify version is 3.2.8 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Simple File List plugin until patched
wp plugin deactivate simple-file-list
Block Vulnerable Endpoint
linuxAdd web server rule to block access to ee-downloader.php
# Apache: RewriteRule ^.*/includes/ee-downloader\.php$ - [F,L]
# Nginx: location ~ /includes/ee-downloader\.php$ { deny all; }
🧯 If You Can't Patch
- Remove the Simple File List plugin completely from the WordPress installation
- Implement strict file system permissions to limit web server access to sensitive directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Simple File List version. If version ≤ 3.2.7, vulnerable.Check Version:
wp plugin get simple-file-list --field=versionVerify Fix Applied:
Verify plugin version is 3.2.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/simple-file-list/includes/ee-downloader.php with eeFile parameter
- Unusual file download patterns from the plugin directory
Network Indicators:
- GET requests to ee-downloader.php with path traversal sequences (../) in parameters
SIEM Query:
source="web_access_logs" AND uri="*ee-downloader.php*" AND (param="*../*" OR param="*..\\*" OR param="*etc/passwd*" OR param="*wp-config.php*")🔗 References
- https://docs.google.com/document/d/1qIZXTzEpI4tO6832vk1KfsSAroT0FY2l--THlhJ8z3c/edit
- https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880
- https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ff21241d-e488-4460-b8c2-d5a070c8c107?source=cve
- https://docs.google.com/document/d/1qIZXTzEpI4tO6832vk1KfsSAroT0FY2l--THlhJ8z3c/edit
- https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880
- https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ff21241d-e488-4460-b8c2-d5a070c8c107?source=cve
