cleantalk
Vulnerabilities and Security Researches

Simple File List, CVE-2026-11911

CVE, Research URL

CVE-2026-11911

Home page URL

Security reports for Simple File List

Application

Simple File List

Published on
Jun 20, 2026
Research Description
The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint.
Affected versions
max 6.3.8.
Status
vulnerable
Previous vulnerability researches
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2026-11551) , Jun 21, 2026
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2024-5191) , Jun 22, 2024
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2024-37239) , Jul 02, 2024
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2024-6554) , Jul 22, 2024
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2025-14998) , Jan 11, 2026
New vulnerability
Simple File List (CVE-2026-11911) , Jun 21, 2026
Simple File List (CVE-2026-12119) , Jun 21, 2026
Simple File List (CVE-2026-11912) , Jun 21, 2026
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2026-11551) , Jun 21, 2026