CVE-2026-12119
MEDIUMWordPress Simple File List <= 6.3.7 - Contributor+ Arbitrary File Operations
Title source: manualDescription
The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the 'eeSFL' shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes/ee-list-ops-bar-process.php.
References (6)
Core 6
Core References
Scores
CVSS v3
6.5
EPSS
0.0027
EPSS Percentile
18.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (1)
eemitch/Simple File List
< 6.3.7
Published
Jun 20, 2026
Tracked Since
Jun 20, 2026