WordPress Plugin Vulnerabilities

Simple:Press < 6.8.1 - Subscriber+ Stored XSS via Profile Signatures

Description

The plugin does not sanitise and escape the postitem parameter when modifying profile signatures, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks

Affects Plugins

Plugin icon
simplepress
Fixed in 6.8.1

References

CVE
CVE-2022-4028

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Luca Greeb, Andreas Krüger
Verified
No
WPVDB ID
da99da13-cbaa-4bbd-912f-a79fe511cdcd

Timeline

Publicly Published
2022-11-29 (about 3 years ago)
Added
2022-11-29 (about 3 years ago)
Last Updated
2022-11-29 (about 3 years ago)

Other

Published
Title
Published
2025-02-18
Title
ADFO – Custom data in admin dashboard <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-07-09
Title
ConeBlog – WordPress Blog Widgets < 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-08-13
Title
2Way VideoCalls and Random Chat < 5.2.8 - Reflected Cross-Site Scripting
Published
2026-01-20
Title
Hostiko < 94.3.6 - Unauthenticated Stored Cross-Site Scripting
Published
2025-05-06
Title
Multiple Post Type Order <= 1.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mpto Shortcode