Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable WordPress plugin endpoint, no auth or interaction (PR:N/UI:N/AC:L); file deletion yields I:H and A:H by destroying site files, C:N as no read primitive is described.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
AnalysisAI
Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the Simple File List plugin installed and active at any version up to and including 6.3.7, reachable over HTTP(S). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N reflects a network-reachable, no-auth, no-interaction integrity attack - a serious profile for a publicly installed WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the internet for WordPress sites running Simple File List <= 6.3.7, then sends an unauthenticated POST to the site's admin-ajax.php invoking the plugin's file management action with a target path. Because the is_admin() guard returns false but is mis-used as an authorization check, the handler proceeds and deletes or overwrites files in the plugin's managed directory; an attacker who can overwrite a .php file effectively plants a webshell and pivots from integrity-only impact to full code execution. |
| Remediation | Upstream fix available (changeset 3579098 on the plugin's trac repository); a released patched version greater than 6.3.7 is not independently confirmed in the supplied data, so administrators should update Simple File List to the latest version published on the WordPress plugin repository as soon as it is available and verify via the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/509a40d2-a33a-49ba-b858-fa8805127a1b). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Simple File List
View allThe Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/i
WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files be
The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make
The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it ba
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow
The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) al
Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remo
Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contr
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38105
GHSA-h7pv-3jqw-7hgc