Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter

An unauthenticated attacker sends a crafted POST request to `wp-admin/admin-ajax.php` with `action=simplefilelist_edit_job` and a payload that triggers the delete operation. Because `is_admin()` always returns true for `admin-ajax.php` requests, the access check is bypassed, and the plugin fails to validate that the target file path stays within the allowed upload directory. By supplying a path like `../../wp-config.php`, the attacker can delete arbitrary files on the server. Deleting `wp-config.php` forces WordPress into its setup routine and can lead to remote code execution. [ref_id=1]

The vulnerability resides in the `eeSFL_DeleteFile` function and the `eeSFL_FileSystem` helper, specifically the `delete` case. The `eeSFL_DeleteFile` lacks proper path validation before passing user-supplied file paths to `eeSFL_FileSystem('delete', ...)`, which then calls `unlink()` without restricting the target to the plugin's upload directory. The AJAX action `simplefilelist_edit_job` is registered via `wp_ajax_nopriv_`, making it accessible to unauthenticated users, and the `is_admin()` guard is bypassed because it always returns true for requests to `admin-ajax.php`. These code paths are visible in the provided snippet from `ee-functions.php`.

The patch restricts the `eeSFL_DeleteFile` function to only accept file paths that reside within the plugin's configured upload directory, rejecting any path containing `../` or an absolute path outside that directory. It also removes the reliance on `is_admin()` for authentication by explicitly checking `current_user_can('upload_files')` inside the AJAX handler. These changes prevent an attacker from referencing files outside the intended file list folder and ensure only authenticated users with upload capabilities can trigger deletion.