Home

Description

The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.

PUBLISHED Reserved 2026-06-10 | Published 2026-06-20 | Updated 2026-06-20 | Assigner Wordfence




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-06-15:Vendor Notified
2026-06-19:Disclosed

Credits

Chloe Chamberland finder

PRISM finder

References

www.wordfence.com/...-a33a-49ba-b858-fa8805127a1b?source=cve

plugins.trac.wordpress.org/....3.6/includes/ee-functions.php

plugins.trac.wordpress.org/....3.6/includes/ee-functions.php

plugins.trac.wordpress.org/...ags/6.3.6/simple-file-list.php

plugins.trac.wordpress.org/...6/includes/ee-list-display.php

plugins.trac.wordpress.org/....3.6/includes/ee-functions.php

plugins.trac.wordpress.org/...ile-list&sfp_email=&sfph_mail=

cve.org (CVE-2026-11912)

nvd.nist.gov (CVE-2026-11912)

Download JSON