CVE-2026-11911 eemitch CVE debrief

Who should care

Defenders responsible for WordPress installations with the Simple File List plugin installed should prioritize patching or mitigating this vulnerability. The vulnerability's high CVSS score of 7.5 and potential for remote code execution make it a critical concern. WordPress administrators, security teams, and plugin maintainers should take immediate action to limit exposure.

Technical summary

The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function. The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication. The is_admin() guard is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint. This allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution.

Defensive priority

High priority due to potential for remote code execution via arbitrary file deletion.

Recommended defensive actions

• Apply the latest patch or update to version 6.3.8 or later
• Limit access to the admin-ajax.php endpoint
• Monitor for suspicious file deletion activity
• Implement compensating controls to restrict file deletion
• Review and update incident response plans

Evidence notes

The CVE record and NVD detail provide evidence of the vulnerability's existence and its potential impact. The source references from Wordfence provide additional context and details about the vulnerability. Defenders should verify the affected product and version, and review official sources for updates and patches.

Official resources