cleantalk
Vulnerabilities and Security Researches

Simple File List, CVE-2026-11912

CVE, Research URL

CVE-2026-11912

Home page URL

Security reports for Simple File List

Application

Simple File List

Published on
Jun 20, 2026
Research Description
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
Affected versions
max 6.3.8.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2026-3297) , Jun 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2026-2470) , Jun 13, 2026
Page Builder: Pagelayer – Drag and Drop website builder (034ff0255a06b02d7a3099c8b62052121c06a6b8) , Jun 16, 2026
Page Builder: Pagelayer – Drag and Drop website builder (798fe899223d5728f117e7d01b13ea4115a359b9) , Jun 16, 2026
New vulnerability
Simple File List (CVE-2026-11911) , Jun 21, 2026
Simple File List (CVE-2026-12119) , Jun 21, 2026
Simple File List (CVE-2026-11912) , Jun 21, 2026
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2026-11551) , Jun 21, 2026