What the vulnerability does
01Description
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
Explanation of Vulnerability in Simple Terms
02Summary
Simple File List versions 6.3.7 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify files through the application. An attacker can exploit this over the network without user interaction. The vulnerability affects the integrity of stored files but does not expose their contents or disrupt availability.
What an attacker can do
03Attacker Capabilities
Modify or alter files stored in the application without authentication.
Potential impact on your site
04Site Impact
Attackers can alter or corrupt files managed by Simple File List without logging in.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 20, 2026
CVE published
