CVE-2026-12119— Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-12119
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the 'eeSFL' shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes/ee-list-ops-bar-process.php.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| eemitch | Simple File List | 0 ~ 6.3.7 | - |
II. Public POCs for CVE-2026-12119
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-12119
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-12119 (3)
Other References for CVE-2026-12119 (2)
Other References for CVE-2026-12119 (1)
Same Patch Batch · eemitch · 2026-06-20 · 3 CVEs total
| CVE-2026-11912 | 7.5 HIGH | Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via |
| CVE-2026-11911 | 7.5 HIGH | Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in |
IV. Related Vulnerabilities
Same product: Simple File List
- CVE-2026-11911
Simple File List <= 6.3.7 - Unauthenticated Arbitrary File D - CVE-2026-11912
Simple File List <= 6.3.7 - Missing Authorization to Unauthe - CVE-2026-24953
WordPress Simple File List plugin <= 6.1.15 - Arbitrary File - CVE-2025-68591
WordPress Simple File List plugin <= 6.1.18 - Broken Access - CVE-2025-54021
WordPress Simple File List plugin <= 6.1.14 - Arbitrary File
Same weakness: CWE-862
- CVE-2026-11912
Simple File List <= 6.3.7 - Missing Authorization to Unauthe - CVE-2026-56213
Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via u - CVE-2026-48582
Microsoft Exchange Online Elevation of Privilege Vulnerabili - CVE-2026-12238
WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Cre - CVE-2026-49291
mcp-memory-service: OAuth read-only clients can write and de
V. Comments for CVE-2026-12119
No comments yet