Skip to main content

Simple File List EUVDEUVD-2026-38105

| CVE-2026-11912 HIGH
Missing Authorization (CWE-862)
2026-06-20 Wordfence GHSA-h7pv-3jqw-7hgc
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
9.1 CRITICAL

Network-reachable WordPress plugin endpoint, no auth or interaction (PR:N/UI:N/AC:L); file deletion yields I:H and A:H by destroying site files, C:N as no read primitive is described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.5
Analysis Generated
Jun 22, 2026 - 05:50 vuln.today

DescriptionCVE.org

The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.

AnalysisAI

Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan for sites running Simple File List ≤6.3.7
Delivery
Send unauthenticated POST to plugin AJAX endpoint
Exploit
Bypass is_admin() authorization guard
Execution
Invoke file delete/modify handler
Persist
Overwrite PHP file with webshell
Impact
Achieve persistent code execution

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the Simple File List plugin installed and active at any version up to and including 6.3.7, reachable over HTTP(S). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N reflects a network-reachable, no-auth, no-interaction integrity attack - a serious profile for a publicly installed WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for WordPress sites running Simple File List <= 6.3.7, then sends an unauthenticated POST to the site's admin-ajax.php invoking the plugin's file management action with a target path. Because the is_admin() guard returns false but is mis-used as an authorization check, the handler proceeds and deletes or overwrites files in the plugin's managed directory; an attacker who can overwrite a .php file effectively plants a webshell and pivots from integrity-only impact to full code execution.
Remediation Upstream fix available (changeset 3579098 on the plugin's trac repository); a released patched version greater than 6.3.7 is not independently confirmed in the supplied data, so administrators should update Simple File List to the latest version published on the WordPress plugin repository as soon as it is available and verify via the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/509a40d2-a33a-49ba-b858-fa8805127a1b). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2022-1119 HIGH POC
7.5 Apr 19

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/i

CVE-2020-12832 CRITICAL POC
9.8 May 13

WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files be

CVE-2022-3208 MEDIUM POC
6.5 Oct 10

The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make

CVE-2022-3062 MEDIUM POC
6.1 Sep 26

The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes

CVE-2024-10146 MEDIUM POC
5.4 Nov 14

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it ba

CVE-2023-1025 MEDIUM POC
4.8 Mar 27

The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow

CVE-2022-3207 MEDIUM POC
4.8 Oct 10

The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow

CVE-2026-11911 HIGH
7.5 Jun 20

Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) al

CVE-2026-57382 HIGH
7.1 Jul 13

Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remo

CVE-2026-12119 MEDIUM
6.5 Jun 20

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contr

CVE-2023-39924 MEDIUM
4.8 Oct 25

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat

Share

EUVD-2026-38105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy