WordPress Plugin Vulnerabilities

Simple:Press < 6.8.1 - Subscriber+ Arbitrary File Deletion

Description

The plugin does not validate a file parameter when a user delete its avatar, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server

Affects Plugins

Plugin icon
simplepress
Fixed in 6.8.1

References

CVE
CVE-2022-4030

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Luca Greeb, Andreas Krüger
Verified
No
WPVDB ID
69bb2ac1-b27a-4623-9d7f-51f19063fd58

Timeline

Publicly Published
2022-11-29 (about 3 years ago)
Added
2022-11-29 (about 3 years ago)
Last Updated
2022-11-29 (about 3 years ago)

Other

Published
Title
Published
2024-12-20
Title
Easy Digital Downloads < 3.3.3 - Authenticated (Admin+) Arbitrary File Download
Published
2025-10-02
Title
Backup Bolt < 1.5.0 - Authenticated (Admin+) Arbitrary File Download
Published
2026-01-06
Title
EmailKit < 1.6.2 - Authenticated (Author+) Arbitrary File Read via Path Traversal
Published
2022-08-03
Title
Download Manager < 3.2.51 - Contributor+ Arbitrary File Deletion
Published
2022-02-16
Title
Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion