CVE-2025-54021: 
WordPress vulnerability analysis and mitigation

The Simple File List WordPress plugin contains a Path Traversal vulnerability (CVE-2025-54021) that affects all versions up to and including 6.1.14. The vulnerability was discovered by Phat RiO from BlueRock and was published on July 28, 2025. This security flaw allows unauthenticated attackers to perform arbitrary file downloads from affected servers (Rapid7, Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue, identified as CWE-22. It has received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited remotely without requiring authentication or user interaction (NVD).

The vulnerability enables unauthenticated attackers to read the contents of arbitrary files on the affected server. This could potentially expose sensitive information, including configuration files, backup files, and login credentials stored on the server (Patchstack).

Users are strongly advised to update to version 6.1.15 or later, which contains a fix for this vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).