Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute

An authenticated attacker with contributor-level access creates a draft post containing the 'eeSFL' shortcode with the 'frontmanage' attribute set to a value that enables front-end management. The post is rendered via the WordPress preview endpoint, which triggers the shortcode processing in includes/ee-list-ops-bar-process.php and generates a valid nonce. The attacker then captures this nonce and submits file operation requests (delete, move, create folder, download) that the plugin's front-end handler processes without verifying the user's actual capability level. The missing check on the 'frontmanage' attribute [ref_id=1] allows any user who can obtain the nonce to perform operations that should be restricted to administrators.

The vulnerable code is in includes/ee-list-ops-bar-process.php, which processes file operation requests. The shortcode attribute handling in includes/ee-front-end.php [ref_id=1] at line 140 processes the 'frontmanage' attribute without proper access-level validation. The line `if($frontmanage) { $eeSFL->eeListSettings['AllowFrontManage'] = strtoupper($frontmanage); }` directly sets the setting without checking whether the user has sufficient privileges to enable front-end management.

The advisory does not include a published patch, but the fix would require adding a capability check (e.g., current_user_can('manage_options')) before allowing the 'frontmanage' shortcode attribute to override the 'AllowFrontManage' setting. The code at [ref_id=1] shows that 'frontmanage' is set directly into 'AllowFrontManage' without any access-level validation, unlike the 'showlist' and 'allowuploads' attributes which have explicit checks against stored settings and require manage_options for expansion. A proper fix would apply the same access-level comparison pattern to 'frontmanage', ensuring that only users with sufficient privileges can enable front-end management via shortcode attributes.