CVE-2026-11912
Received Received - Intake
Arbitrary File Modification in Simple File List WordPress Plugin

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: Wordfence

Description
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-11912
EUVD
EUVD-2026-38105
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
simple_file_list plugin to 6.3.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Simple File List plugin for WordPress has a vulnerability that allows unauthorized users to modify or delete files on the server. This happens because the plugin does not properly check if a user is authorized before allowing file modifications. Even if certain settings meant to restrict access are disabled, the vulnerability can still be exploited due to a flawed authorization check.

Impact Analysis

This vulnerability can allow attackers who are not logged in to delete or modify files on your server. This could lead to loss of important data, defacement of your website, or other malicious changes that could disrupt your website's operation or compromise its integrity.

Mitigation Strategies

To mitigate this vulnerability, you should update the Simple File List plugin for WordPress to a version later than 6.3.7 where the issue is fixed.

Additionally, review and restrict file modification permissions and monitor for unauthorized file changes on your server.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart