CVE-2026-11912
Deferred Deferred - Pending Action

Arbitrary File Modification in Simple File List WordPress Plugin

Vulnerability report for CVE-2026-11912, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-20

Last updated on: 2026-06-22

Assigner: Wordfence

Description

The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-20
Last Modified
2026-06-22
Generated
2026-07-10
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
simple_file_list plugin to 6.3.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Simple File List plugin for WordPress has a vulnerability that allows unauthorized users to modify or delete files on the server. This happens because the plugin does not properly check if a user is authorized before allowing file modifications. Even if certain settings meant to restrict access are disabled, the vulnerability can still be exploited due to a flawed authorization check.

Impact Analysis

This vulnerability can allow attackers who are not logged in to delete or modify files on your server. This could lead to loss of important data, defacement of your website, or other malicious changes that could disrupt your website's operation or compromise its integrity.

Mitigation Strategies

To mitigate this vulnerability, you should update the Simple File List plugin for WordPress to a version later than 6.3.7 where the issue is fixed.

Additionally, review and restrict file modification permissions and monitor for unauthorized file changes on your server.

Compliance Impact

The vulnerability allows unauthenticated attackers to delete and modify files on the server due to insufficient authorization checks in the Simple File List plugin for WordPress.

Such unauthorized file modifications could lead to data integrity issues and potential exposure or loss of sensitive information, which may impact compliance with standards like GDPR and HIPAA that require protection of data integrity and confidentiality.

However, the provided information does not explicitly detail the direct compliance implications or specific regulatory impacts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart