Description
The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the 'eeSFL' shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes/ee-list-ops-bar-process.php.
Published: 2026-06-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple File List plugin for WordPress contains a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to 6.3.7. As a result, any authenticated user who possesses at least Contributor permissions can invoke file operations such as deletion, moving, folder creation, and download without proper privilege validation. The vulnerability allows the attacker to manipulate the site's file repository, potentially leading to data loss, site corruption, or the introduction of malicious content, thereby compromising the integrity and availability of the site.

Affected Systems

WordPress installations using the eemitch Simple File List plugin version 6.3.7 or earlier are affected. Sites that permit contributors to create or preview posts are directly impacted, as the exploitation workflow requires these capabilities to obtain the required nonce and trigger the unsupported file operations.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS is not available, suggesting limited publicly observed exploitation. The flaw can be exploited by any authenticated user with Contributor or higher privileges by using the post preview endpoint to harvest the needed nonce and then submitting file operation requests that bypass the missing checks. The vulnerability is not listed in the CISA KEV catalog, so no large‑scale exploitation is currently documented.

Generated by OpenCVE AI on June 20, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple File List plugin to the latest version, which restores the required authorization checks on the 'frontmanage' attribute.
  • Add a WordPress filter to disable the eeSFL shortcode for Contributor and lower roles, preventing unauthorized use of the shortcode.
  • After applying the mitigation, audit file system changes and access logs to detect any prior unauthorized operations and ensure that only trusted administrators have write permissions on critical directories.

Generated by OpenCVE AI on June 20, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the 'eeSFL' shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes/ee-list-ops-bar-process.php.
Title Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-20T08:29:49.055Z

Reserved: 2026-06-12T15:00:06.461Z

Link: CVE-2026-12119

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T11:30:05Z

Weaknesses