Description
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
Published: 2026-06-20
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple File List plugin allows unauthenticated users to delete and modify arbitrary files on the server because all versions up to 6.3.7 lack proper authorization checks. The vulnerability stems from a missing access control (CWE‑862) and is exploitable even when the administrator has disabled the AllowFrontManage option, as the is_admin() guard is bypassed before that setting is evaluated. A successful exploitation results in compromised site integrity and potential full take‑over of the underlying WordPress installation.

Affected Systems

Any WordPress site that has installed the Simple File List plugin by eemitch, specifically versions 6.3.7 or earlier, is affected. Sites using this plugin in any environment, whether production, staging, or testing, are at risk.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity, indicating substantial impact on confidentiality, integrity, and availability if exploited. EPSS information is currently unavailable, so the precise likelihood of exploitation cannot be quantified, but the absence of action by the plugin vendor and the straightforward attack path suggest a reasonable probability of use. The vulnerability is not listed in the CISA KEV catalog, yet the attack vector—unauthenticated AJAX requests—remains readily exploitable with minimal prerequisites.

Generated by OpenCVE AI on June 20, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple File List plugin to the latest released version (at least 6.3.8) from the official WordPress repository or the vendor’s site.
  • If an immediate update is not possible, temporarily disable or completely remove the plugin to eliminate the exposed AJAX action.
  • Apply general WordPress hardening measures: restrict file editing by plugins, enforce strict role‑based access controls, and review other third‑party plugin code for missing authorization checks.

Generated by OpenCVE AI on June 20, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
Title Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-20T08:29:48.184Z

Reserved: 2026-06-10T16:38:42.826Z

Link: CVE-2026-11912

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T10:30:05Z

Weaknesses