Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action

An unauthenticated attacker sends a crafted HTTP request to a WordPress endpoint served by the Simple File List plugin. The plugin's authorization logic checks `is_admin()` unconditionally; because `is_admin()` returns true for any WordPress-admin-based request, the guard exits early and never inspects the `AllowFrontManage` flag, which was intended to block front-end file operations. This permits arbitrary file deletion, modification, and creation on the server. [ref_id=1] documents the full set of filesystem operations (copy, move, delete, put_contents, etc.) that become reachable without authentication.

The vulnerability resides in the authorization guard of the Simple File List plugin's `ee-functions.php` file. The plugin uses an unconditional `is_admin()` check that short-circuits the permission logic before the `AllowFrontManage` setting is evaluated, allowing unauthenticated attackers to reach file-manipulation functions such as `eeSFL_FileSystem`. [ref_id=1] shows the filesystem operations (copy, move, delete, put_contents, etc.) that become accessible as a result.

The advisory does not include a published patch, only a description of the flawed logic. The recommended fix is to restructure the authorization check so that `is_admin()` is not evaluated before the `AllowFrontManage` setting is examined; instead, the setting should be checked first, and `is_admin()` should only be used as a secondary gate. Without the patch, the unconditional `is_admin()` call allows every request to bypass the intended front-end restrictions.