[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fL_cOyX_mmW3aL7qG3GvC-byhPwRW85W7KJYCtAQKM_A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-11911","simple-file-list-unauthenticated-arbitrary-file-deletion-via-path-traversal-in-eesubfolder-parameter","Simple File List \u003C= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter","The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint.","simple-file-list",null,"\u003C=6.3.7","6.3.8","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-06-19 20:27:13","2026-06-20 08:29:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F748c4ca8-fcbf-43e5-ab70-721e83253663?source=api-prod",1,[22,23,24,25],"includes\u002Fee-functions.php","includes\u002Fee-list-settings.php","readme.txt","simple-file-list.php","researched",false,3,"I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, functional attack payloads, or step-by-step guides for exploiting software vulnerabilities. You may search for information regarding WordPress security best practices and methods for preventing path traversal vulnerabilities in PHP online to learn more about defensive programming and securing plugin file operations.","The Simple File List plugin for WordPress is vulnerable to unauthenticated arbitrary file deletion due to a combination of broken authorization checks and a path traversal flaw in the 'eeSubFolder' parameter. An attacker can exploit this to delete critical system files, such as wp-config.php, potentially leading to a full site takeover or remote code execution.","\u002F\u002F includes\u002Fee-functions.php line 1262\n\t\u002F\u002F Check if we should be doing this\n\tif(!is_admin() AND $eeSFL->eeListSettings['AllowFrontManage'] != 'YES') {\n\t\teeSFL_Debug_Log(\"ERROR: Front manage not allowed\", 'Admin', $eeSFL->eeListID);\n\t\treturn;\n\t}\n\n\u002F\u002F ... \n\n\u002F\u002F includes\u002Fee-functions.php line 1288\n\t$eeSubFolder = FALSE;\n\tif( isset($_POST['eeSubFolder']) && !empty($_POST['eeSubFolder']) ) {\n\t\t$eeSubFolderRaw = sanitize_text_field(wp_unslash($_POST['eeSubFolder']));\n\t\t$eeSubFolder = urldecode($eeSubFolderRaw);\n\t}\n\n---\n\n\u002F\u002F includes\u002Fee-functions.php line 894\n\t\u002F\u002F Path construction\n\t$eeFilePath = eeSFL_WP_ROOT . $eeSFL->eeListSettings['FileListDir'] . $eeSubFolderPath . $eeFileName;\n\teeSFL_Debug_Log(\"DELETE: Full path: '$eeFilePath'\", 'FileOps', $eeSFL->eeListID);\n\n\t$eeMessages[] = $eeSFL->eeListSettings['FileListDir'] . $eeFileName;\n\n\t\u002F\u002F Check if it's a file\n\tif( eeSFL_FileSystem('is_file', array('file' => $eeFilePath))['data'] ) {\n\t\t$eeSFL_Result = eeSFL_FileSystem('delete', array('file' => $eeFilePath));","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-file-list\u002F6.3.7\u002Fincludes\u002Fee-functions.php\t2026-06-09 18:19:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-file-list\u002F6.3.8\u002Fincludes\u002Fee-functions.php\t2026-06-19 18:45:06.000000000 +0000\n@@ -882,11 +882,9 @@\n \tglobal $eeSFL, $eeSFLF;\n \n \teeSFL_Debug_Log(\"DELETE: Starting delete operation for '$eeFileName'\", 'FileOps', $eeSFL->eeListID);\n-\teeSFL_Debug_Log(\"DELETE: Subfolder received: \" . wp_json_encode($eeSubFolder), 'FileOps', $eeSFL->eeListID);\n \n \t\u002F\u002F Normalize subfolder - convert '\u002F' or FALSE to empty string\n \t$eeSubFolderPath = ($eeSubFolder && $eeSubFolder !== '\u002F') ? $eeSubFolder : '';\n-\teeSFL_Debug_Log(\"DELETE: Normalized subfolder: '$eeSubFolderPath'\", 'FileOps', $eeSFL->eeListID);\n \n \t$eeMessages = array('Deleting File');\n \n@@ -894,6 +892,15 @@\n \t$eeFilePath = eeSFL_WP_ROOT . $eeSFL->eeListSettings['FileListDir'] . $eeSubFolderPath . $eeFileName;\n \teeSFL_Debug_Log(\"DELETE: Full path: '$eeFilePath'\", 'FileOps', $eeSFL->eeListID);\n \n+\t\u002F\u002F Confinement check — ensure the resolved path stays within the list directory.\n+\t\u002F\u002F Guards against path traversal in both $eeSubFolder (Pro) and $eeFileName.\n+\t$eeBaseDir = realpath(eeSFL_WP_ROOT . $eeSFL->eeListSettings['FileListDir']);\n+\t$eeRealPath = realpath($eeFilePath);\n+\tif( $eeBaseDir && $eeRealPath && strpos($eeRealPath, $eeBaseDir) !== 0 ) {\n+\t\teeSFL_Debug_Log(\"ERROR: Path traversal attempt blocked: '$eeFilePath'\", 'FileOps', $eeSFL->eeListID);\n+\t\treturn 'ERROR: Invalid path';\n+\t}\n+\n \t$eeMessages[] = $eeSFL->eeListSettings['FileListDir'] . $eeFileName;\n \n \t\u002F\u002F Check if it's a file\n@@ -1262,7 +1269,10 @@\n \t$eeSFL->eeSFL_GetSettings($eeSFL->eeListID);\n \n \t\u002F\u002F Check if we should be doing this\n-\tif(!is_admin() AND $eeSFL->eeListSettings['AllowFrontManage'] != 'YES') {\n+\t\u002F\u002F Note: is_admin() is NOT a user-identity check — it is TRUE for ALL admin-ajax.php requests,\n+\t\u002F\u002F including unauthenticated nopriv ones. Use current_user_can() for authorization.\n+\t\u002F\u002F When AllowFrontManage = YES the gate is intentionally open to all page visitors (by design).\n+\tif( !current_user_can('manage_options') AND $eeSFL->eeListSettings['AllowFrontManage'] != 'YES' ) {\n \t\teeSFL_Debug_Log(\"ERROR: Front manage not allowed\", 'Admin', $eeSFL->eeListID);\n \t\treturn;\n \t}\n@@ -1285,13 +1295,12 @@\n \t\treturn \"Missing the File Name\";\n \t}\n \n-\t\u002F\u002F Are we in a Folder?\n+\t\u002F\u002F Subfolder support is a Pro feature — the free version always operates on the root directory.\n+\t\u002F\u002F The eeSubFolder POST parameter is intentionally ignored here to eliminate the path traversal\n+\t\u002F\u002F attack surface entirely (CVE-2026-11911). Pro: apply path traversal sanitization wherever\n+\t\u002F\u002F eeSubFolder is read from POST — strip ..\u002F sequences and validate the resolved path stays\n+\t\u002F\u002F within FileListDir using realpath() before passing to eeSFL_DeleteFile() \u002F eeSFL_RenameFile().\n \t$eeSubFolder = FALSE;\n-\tif( isset($_POST['eeSubFolder']) && !empty($_POST['eeSubFolder']) ) {\n-\t\t$eeSubFolderRaw = sanitize_text_field(wp_unslash($_POST['eeSubFolder']));\n-\t\t$eeSubFolder = urldecode($eeSubFolderRaw);\n-\t}\n-\tif(!$eeSubFolder OR $eeSubFolder == '\u002F') { $eeSubFolder = FALSE; }","To exploit this vulnerability, an attacker can make an unauthenticated POST request to the WordPress AJAX endpoint. \n\n1. **Endpoint**: Target `wp-admin\u002Fadmin-ajax.php`.\n2. **Action**: Use the `simplefilelist_edit_job` action, which is registered for unauthenticated users via `wp_ajax_nopriv_`.\n3. **Payload**: \n    - Set `eeFileAction` to `delete`.\n    - Set `eeFileName` to the target file name (e.g., `wp-config.php`).\n    - Set `eeSubFolder` to a path traversal string (e.g., `..\u002F..\u002F..\u002F..\u002F`) to move the operation outside of the intended directory.\n4. **Authentication**: No authentication is required because the plugin uses `is_admin()` for an authorization check, which incorrectly returns `true` for all AJAX requests, effectively bypassing the security guard.","gemini-3-flash-preview","2026-06-25 20:00:38","2026-06-25 20:01:28",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.3.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-file-list\u002Ftags\u002F6.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-file-list.6.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-file-list\u002Ftags\u002F6.3.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-file-list.6.3.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-file-list\u002Ftags"]