CVE-2023-4297: 
WordPress vulnerability analysis and mitigation

The Mmm Simple File List WordPress plugin through version 2.3 contains a directory traversal vulnerability (CVE-2023-4297). The vulnerability was discovered on November 6, 2023, and affects the plugin's file listing functionality. The issue stems from the plugin's failure to validate the generated path when listing files, which allows any authenticated users, including those with subscriber-level access, to list the contents of arbitrary directories on the server (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is classified as a directory traversal vulnerability (CWE-22) and falls under the OWASP Top 10 category A1: Injection. The vulnerability can be exploited through the WordPress admin-ajax.php endpoint using a specially crafted POST request that manipulates the folder parameter in the MMFileList shortcode (WPScan).

When exploited, this vulnerability allows authenticated users with subscriber-level access to view the contents of arbitrary directories on the server. This could lead to unauthorized access to sensitive files and information disclosure, potentially compromising the security of the WordPress installation (WPScan).

As of the latest available information, there is no known fix for this vulnerability. Website administrators using the Mmm Simple File List plugin version 2.3 or earlier should consider removing or disabling the plugin until a security patch is available (WPScan).