CVE Vulnerability

CVE-2022-4030

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file that can allow an attacker to configure the site and achieve remote code execution.

8.1 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2804020%40simplepress&new=2804020%40simplepress&sfp_email=&sfph_mail= Patch Third Party Advisory
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4030 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:simple-press:simple:press:*:*:*:*:*:wordpress:*:*
Information

Published : 2022-11-29 09:15

Updated : 2022-12-01 06:41

NVD link : CVE-2022-4030

Mitre link : CVE-2022-4030

Products Affected
No products.
CWE
CWE-22