The Simple File List plugin for WordPress contains a Path Traversal flaw in the eeSFL_DeleteFile function, allowing any user to supply a crafted filename via the eeSubFolder parameter that bypasses validation. This flaw permits unauthenticated file deletion, meaning a remote attacker can remove arbitrary files from the server. If critical files such as wp-config.php are deleted, the attacker can achieve full remote code execution or otherwise disrupt site operations. The weakness is classified as CWE-22.

All installations of the Simple File List plugin created by the vendor eemitch that run version 6.3.7 or older are affected. No specific product sub‑versions are listed beyond the cumulative <=6.3.7 range, so any deployment using a version within that range carries the vulnerability.

The CVSS score of 7.5 indicates a high severity. EPSS data are not available, so the exploitation probability cannot be quantified, though the issue is rendered trivial to exploit due to the lack of authentication required. The vulnerability is not listed in CISA’s KEV catalog, but it is still serious because attackers can delete files via an unauthenticated AJAX request sent to the admin‑ajax.php endpoint. The "simplefilelist_edit_job" action is registered with wp_ajax_nopriv_, and the is_admin() guard is bypassed because it returns true for these requests, making the attack path straightforward.