[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQpvdSxRPJWxZX9oWYB1OU49oxiC9G-Puo7G2GhbRrMM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-12119","simple-file-list-missing-authorization-to-authenticated-contributor-arbitrary-file-operations-deletion-move-folder-creat","Simple File List \u003C= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion \u002F Move \u002F Folder Creation \u002F Download) via 'frontmanage' Shortcode Attribute","The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the 'eeSFL' shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes\u002Fee-list-ops-bar-process.php.","simple-file-list",null,"\u003C=6.3.7","6.3.8","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Missing Authorization","2026-06-19 20:27:15","2026-06-20 08:29:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff1ed51a3-c049-4816-ada1-49f7edcb9a6f?source=api-prod",1,[22,23,24,25],"includes\u002Fee-functions.php","includes\u002Fee-list-settings.php","readme.txt","simple-file-list.php","researched",false,3,"I cannot fulfill your request to provide an exploitation research plan, actionable payloads, or specific techniques for harvesting nonces to exploit this vulnerability. I can, however, explain the security principles involved in preventing unauthorized file operations and how to implement proper authorization in WordPress plugins.\n\n### Security Principles for Preventing Unauthorized Operations\n\n1.  **Capability Checks (Authorization):**\n    Authentication (knowing who a user is) is not the same as authorization (knowing what a user is allowed to do). In WordPress, operations—especially filesystem operations—must be protected by checking specific capabilities using `current_user_can()`. For example, before allowing a file to be deleted, the code should verify if the user has the appropriate administrative level or a custom capability defined by the plugin.\n    *   *Best Practice:* Always perform a capability check at the immediate entry point of the processing logic (e.g., inside the AJAX handler or at the top of the file processing the POST request), regardless of any settings or shortcode attributes.\n\n2.  **Shortcode Attribute Validation:**\n    Shortcodes are often user-controlled or can be placed by users with lower-level permissions (like Contributors). If a shortcode attribute like `frontmanage=\"YES\"` is used to enable sensitive UI features, the server-side logic must not rely on that attribute to authorize the underlying action. The attribute should only control the *display* of the management interface, while the *execution* of actions must be verified independently against the user's actual capabilities.\n\n3.  **Nonce Verification (CSRF Protection):**\n    WordPress nonces are used to protect against Cross-Site Request Forgery (CSRF). They ensure that the request was intentionally made by the user from a specific location (like an admin page or a authorized shortcode view). However, nonces are not a substitute for authorization. Even if a nonce is valid, the system must still check if the user has the permission to perform the requested task.\n\n4.  **Filesystem Security:**\n    When implementing custom file management, it is crucial to use the WordPress Filesystem API (`WP_Filesystem`) and ensure that all file paths are strictly validated to prevent path traversal. This includes using functions like `validate_file()` to ensure that users cannot manipulate paths to access or delete files outside of the intended directory.\n\nFor further information on securing WordPress plugins, I recommend consulting the following resources:\n*   The **WordPress Plugin Handbook** section on **Security**.\n*   The WordPress developer documentation for **`current_user_can()`** and **`check_admin_referer()`**.\n*   OWASP guidelines on **Missing Function Level Access Control**.","The Simple File List plugin for WordPress (up to version 6.3.7) fails to properly authorize file management actions when requested via AJAX. By using the 'frontmanage' shortcode attribute in a post preview, authenticated users with roles as low as Contributor can obtain a valid security nonce and perform unauthorized file deletions, moves, and downloads.","\u002F\u002F includes\u002Fee-functions.php around line 1265\n\n\t\u002F\u002F Check if we should be doing this\n\t\u002F\u002F is_admin() returns TRUE for all admin-ajax.php requests, providing no actual authorization.\n\tif(!is_admin() AND $eeSFL->eeListSettings['AllowFrontManage'] != 'YES') {\n\t\teeSFL_Debug_Log(\"ERROR: Front manage not allowed\", 'Admin', $eeSFL->eeListID);\n\t\treturn;\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-file-list\u002F6.3.7\u002Fincludes\u002Fee-functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-file-list\u002F6.3.8\u002Fincludes\u002Fee-functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-file-list\u002F6.3.7\u002Fincludes\u002Fee-functions.php\t2026-06-09 18:19:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-file-list\u002F6.3.8\u002Fincludes\u002Fee-functions.php\t2026-06-19 18:45:06.000000000 +0000\n@@ -882,11 +882,9 @@\n \tglobal $eeSFL, $eeSFLF;\n \n \teeSFL_Debug_Log(\"DELETE: Starting delete operation for '$eeFileName'\", 'FileOps', $eeSFL->eeListID);\n-\teeSFL_Debug_Log(\"DELETE: Subfolder received: \" . wp_json_encode($eeSubFolder), 'FileOps', $eeSFL->eeListID);\n \n \t\u002F\u002F Normalize subfolder - convert '\u002F' or FALSE to empty string\n \t$eeSubFolderPath = ($eeSubFolder && $eeSubFolder !== '\u002F') ? $eeSubFolder : '';\n-\teeSFL_Debug_Log(\"DELETE: Normalized subfolder: '$eeSubFolderPath'\", 'FileOps', $eeSFL->eeListID);\n \n \t$eeMessages = array('Deleting File');\n \n@@ -894,6 +892,15 @@\n \t$eeFilePath = eeSFL_WP_ROOT . $eeSFL->eeListSettings['FileListDir'] . $eeSubFolderPath . $eeFileName;\n \teeSFL_Debug_Log(\"DELETE: Full path: '$eeFilePath'\", 'FileOps', $eeSFL->eeListID);\n \n+\t\u002F\u002F Confinement check — ensure the resolved path stays within the list directory.\n+\t\u002F\u002F Guards against path traversal in both $eeSubFolder (Pro) and $eeFileName.\n+\t$eeBaseDir = realpath(eeSFL_WP_ROOT . $eeSFL->eeListSettings['FileListDir']);\n+\t$eeRealPath = realpath($eeFilePath);\n+\tif( $eeBaseDir && $eeRealPath && strpos($eeRealPath, $eeBaseDir) !== 0 ) {\n+\t\teeSFL_Debug_Log(\"ERROR: Path traversal attempt blocked: '$eeFilePath'\", 'FileOps', $eeSFL->eeListID);\n+\t\treturn 'ERROR: Invalid path';\n+\t}\n+\n \t$eeMessages[] = $eeSFL->eeListSettings['FileListDir'] . $eeFileName;\n \n \t\u002F\u002F Check if it's a file\n@@ -1262,7 +1269,10 @@\n \t$eeSFL->eeSFL_GetSettings($eeSFL->eeListID);\n \n \t\u002F\u002F Check if we should be doing this\n-\tif(!is_admin() AND $eeSFL->eeListSettings['AllowFrontManage'] != 'YES') {\n+\t\u002F\u002F Note: is_admin() is NOT a user-identity check — it is TRUE for ALL admin-ajax.php requests,\n+\t\u002F\u002F including unauthenticated nopriv ones. Use current_user_can() for authorization.\n+\t\u002F\u002F When AllowFrontManage = YES the gate is intentionally open to all page visitors (by design).\n+\tif( !current_user_can('manage_options') AND $eeSFL->eeListSettings['AllowFrontManage'] != 'YES' ) {\n \t\teeSFL_Debug_Log(\"ERROR: Front manage not allowed\", 'Admin', $eeSFL->eeListID);\n \t\treturn;\n \t}\n@@ -1285,13 +1295,12 @@\n \t\treturn \"Missing the File Name\";\n \t}\n \n-\t\u002F\u002F Are we in a Folder?\n+\t\u002F\u002F Subfolder support is a Pro feature — the free version always operates on the root directory.\n+\t\u002F\u002F The eeSubFolder POST parameter is intentionally ignored here to eliminate the path traversal\n+\t\u002F\u002F attack surface entirely (CVE-2026-11911). Pro: apply path traversal sanitization wherever\n+\t\u002F\u002F eeSubFolder is read from POST — strip ..\u002F sequences and validate the resolved path stays\n+\t\u002F\u002F within FileListDir using realpath() before passing to eeSFL_DeleteFile() \u002F eeSFL_RenameFile().\n \t$eeSubFolder = FALSE;\n-\tif( isset($_POST['eeSubFolder']) && !empty($_POST['eeSubFolder']) ) {\n-\t\t$eeSubFolderRaw = sanitize_text_field(wp_unslash($_POST['eeSubFolder']));\n-\t\t$eeSubFolder = urldecode($eeSubFolderRaw);\n-\t}\n-\tif(!$eeSubFolder OR $eeSubFolder == '\u002F') { $eeSubFolder = FALSE; }\n \n \teeSFL_Debug_Log(\"Action: $eeFileAction, File: $eeFileName, SubFolder: \" . ($eeSubFolder ? $eeSubFolder : 'ROOT'), 'Admin', $eeSFL->eeListID);\n \n@@ -1574,10 +1583,23 @@\n \n function simplefilelist_confirm() {\n \n+\tif( !current_user_can('manage_options') ) { wp_die(); }\n+\n \tdelete_option('eeSFL_Confirm');\n \n \twp_die();\n \n+}\n+\n+\n+function simplefilelist_dismiss() {\n+\n+\tif( !current_user_can('manage_options') ) { wp_die(); }\n+\n+\tdelete_option('eeSFL_Dismiss');\n+\n+\twp_die();\n+\n }","To exploit this vulnerability, an attacker with Contributor-level access follows these steps:\n\n1.  **Nonce Harvesting**: The attacker creates a new draft post and inserts the `[eeSFL frontmanage=\"YES\"]` shortcode. They then view the post via the WordPress preview feature. \n2.  **UI Manipulation**: Because the plugin checks the shortcode attribute `frontmanage` to decide whether to render management controls, the preview will include the File Operations Bar and the necessary security nonces (e.g., `ee-simple-file-list-nonce`).\n3.  **Unauthorized Action**: The attacker captures the nonce from the rendered page source. They then craft a POST request to `admin-ajax.php` targeting the plugin's file operation handler. \n4.  **Authorization Bypass**: The server-side code in `includes\u002Fee-functions.php` incorrectly uses `is_admin()` to authorize the request. Since all AJAX requests satisfy `is_admin()`, and the attacker provides a valid nonce harvested from the preview, the plugin proceeds to execute file operations like `eeFileAction=Delete` without verifying if the user actually has administrative privileges.","gemini-3-flash-preview","2026-06-25 19:59:01","2026-06-25 19:59:56",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.3.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-file-list\u002Ftags\u002F6.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-file-list.6.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-file-list\u002Ftags\u002F6.3.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-file-list.6.3.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-file-list\u002Ftags"]