Unauthorized File Operations in Simple File List for WordPress
CVE-2026-12119

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Simple File List
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-12119?

The Simple File List plugin for WordPress contains a vulnerability due to a lack of proper authorization checks on the 'frontmanage' shortcode attribute. This flaw allows authenticated attackers with contributor-level access and higher to execute unauthorized file operations such as deletion, movement, folder creation, and downloads. Attackers can exploit this vulnerability by creating draft posts that include the 'eeSFL' shortcode, utilizing the post preview endpoint to retrieve the nonce necessary for authorization, and subsequently issuing file operation requests that bypass the intended security measures found in the plugin's core files.

Affected Version(s)

Simple File List 0 <= 6.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-file-li...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Chloe Chamberland

PRISM

CVE-2026-12119 Data

JSON