CVE Catalog

CVE-2026-11911

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.78%

51th percentile — higher than 51% of all known CVEs

Summary

The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to and including 6.3.7. This allows unauthenticated attackers to delete arbitrary files on the server.

Risk Assessment

Attackers can delete critical files, potentially leading to remote code execution if the right file, such as wp-config.php, is deleted. This poses a serious security threat to the entire application.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, implementing further security measures, such as restricting access to critical files on the server, is advisable.

Original NVD description (English source)

The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS