Arbitrary File Modification in Simple File List Plugin for WordPress
CVE-2026-11912

7.5HIGH

Key Information:

Vendor: WordPress
Status: Simple File List
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-11912?

The Simple File List plugin for WordPress contains a security flaw that permits arbitrary file modification due to a lack of adequate authorization checks. Attackers can exploit this vulnerability to delete or modify files on the server even in scenarios where the administrator has not activated the AllowFrontManage setting. This occurs because the is_admin() function fails to assess access rights properly, allowing unauthorized access to critical file management functionalities in all versions up to and including 6.3.7.

Affected Version(s)

Simple File List 0 <= 6.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-file-li...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

Chloe Chamberland

PRISM

CVE-2026-11912 Data

JSON