CVE-2026-11911 - Vulnerability Details

The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L1281
https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L894
https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-display.php#L473
https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/simple-file-list.php#L262
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3579098%40simple-file-list&new=3579098%40simple-file-list&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/748c4ca8-fcbf-43e5-ab70-721e83253663?source=cve

History

Sat, 20 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint.
Title		Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter
Weaknesses		CWE-22
References		https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L1281 https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L894 https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-display.php#L473 https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/simple-file-list.php#L262 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3579098%40simple-file-list&new=3579098%40simple-file-list&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/748c4ca8-fcbf-43e5-ab70-721e83253663?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-20T08:29:48.704Z

Updated: 2026-06-20T08:29:48.704Z

Reserved: 2026-06-10T16:35:08.986Z

Link: CVE-2026-11911

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object