CVE-2026-11911

Sažetak

The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint.

Reference

https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L1281
https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L894
https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-display.php#L473
https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/simple-file-list.php#L262
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3579098%40simple-file-list&new=3579098%40simple-file-list&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/748c4ca8-fcbf-43e5-ab70-721e83253663?source=cve

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

20-06-2026 - 09:16

Objavljeno

20-06-2026 - 09:16