Headline
CVE-2022-4030: Changeset 2804020 for simplepress – WordPress Plugin Repository
The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the ‘file’ parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file that can allow an attacker to configure the site and achieve remote code execution.
98 # 1: strip mb4 chars if unsuppofrted 98 # 1: strip mb4 chars if unsupported
599 $allowedforumtags = array(‘address’ => array(‘class’ => true), ‘a’ => array(‘class’ => true, ‘href’ => true, ‘id’ => true, ‘title’ => true, ‘rel’ => true, ‘rev’ => true, ‘name’ => true, ‘target’ => true, ‘style’ => true), ‘abbr’ => array(‘class’ => true, ‘title’ => true), ‘acronym’ => array(‘title’ => true, ‘class’ => true), ‘article’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘aside’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘audio’ => array(‘autoplay’ => true, ‘class’ => true, ‘controls’ => true, ‘id’ => true, ‘loop’ => true, ‘muted’ => true, ‘poster’ => true, ‘preload’ => true, ‘src’ => true, ‘style’ => true), ‘b’ => array(‘class’ => true), ‘big’ => array(‘class’ => true), ‘blockquote’ => array(‘id’ => true, ‘cite’ => true, ‘class’ => true, ‘lang’ => true, ‘xml:lang’ => true, ‘style’ => true), ‘br’ => array(‘class’ => true), ‘caption’ => array(‘align’ => true, ‘class’ => true), ‘cite’ => array(‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘title’ => true), ‘code’ => array(‘class’ => true, ‘style’ => true), ‘dd’ => array(‘class’ => true), ‘del’ => array(‘datetime’ => true), ‘details’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘open’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘div’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘dl’ => array(‘class’ => true), ‘dt’ => array(‘class’ => true), ‘em’ => array(‘class’ => true), ‘embed’ => array(‘height’ => true, ‘name’ => true, ‘pallette’ => true, ‘src’ => true, ‘type’ => true, ‘width’ => true), ‘figure’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘figcaption’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘font’ => array(‘color’ => true, ‘face’ => true, ‘size’ => true), ‘footer’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘header’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘hgroup’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘h1’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), ‘h2’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), ‘h3’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), ‘h4’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), ‘h5’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), ‘h6’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), ‘hr’ => array(‘align’ => true, ‘class’ => true, ‘noshade’ => true, ‘size’ => true, ‘width’ => true), ‘i’ => array(‘class’ => true), ‘img’ => array(‘alt’ => true, ‘title’ => true, ‘align’ => true, ‘border’ => true, ‘class’ => true, ‘height’ => true, ‘hspace’ => true, ‘longdesc’ => true, ‘vspace’ => true, ‘src’ => true, ‘style’ => true, ‘width’ => true, ‘data-upload’ => true, ‘data-width’ => true, ‘data-height’ => true), ‘ins’ => array(‘datetime’ => true, ‘cite’ => true), ‘kbd’ => array(‘class’ => true), ‘label’ => array(‘for’ => true), ‘legend’ => array(‘align’ => true), ‘li’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), ‘menu’ => array(‘class’ => true, ‘style’ => true, ‘type’ => true), ‘nav’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘object’ => array(‘classid’ => true, ‘codebase’ => true, ‘codetype’ => true, ‘data’ => true, ‘declare’ => true, ‘height’ => true, ‘name’ => true, ‘param’ => true, ‘standby’ => true, ‘type’ => true, ‘usemap’ => true, ‘width’ => true), ‘param’ => array(‘id’ => true, ‘name’ => true, ‘type’ => true, ‘value’ => true, ‘valuetype’ => true), ‘p’ => array(‘class’ => true, ‘align’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘pre’ => array(‘class’ => true, ‘style’ => true, ‘width’ => true), ‘q’ => array(‘cite’ => true), ‘s’ => array(‘class’ => true), ‘section’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘small’ => array(‘class’ => true), ‘source’ => array(‘class’ => true, ‘id’ => true, ‘media’ => true, ‘src’ => true, ‘style’ => true, ‘type’ => true), ‘span’ => array(‘class’ => true, ‘dir’ => true, ‘align’ => true, ‘lang’ => true, ‘style’ => true, ‘title’ => true, ‘xml:lang’ => true, ‘id’ => true), ‘strike’ => array(‘class’ => true), ‘strong’ => array(‘class’ => true), ‘sub’ => array(‘class’ => true), ‘summary’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), ‘sup’ => array(‘class’ => true), ‘table’ => array(‘align’ => true, ‘bgcolor’ => true, ‘border’ => true, ‘cellpadding’ => true, ‘cellspacing’ => true, ‘class’ => true, ‘dir’ => true, ‘id’ => true, ‘rules’ => true, ‘style’ => true, ‘summary’ => true, ‘width’ => true), ‘tbody’ => array(‘align’ => true, ‘char’ => true, ‘charoff’ => true, ‘valign’ => true), ‘td’ => array(‘abbr’ => true, ‘align’ => true, ‘axis’ => true, ‘bgcolor’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘colspan’ => true, ‘dir’ => true, ‘headers’ => true, ‘height’ => true, ‘nowrap’ => true, ‘rowspan’ => true, ‘scope’ => true, ‘style’ => true, ‘valign’ => true, ‘width’ => true), ‘tfoot’ => array(‘align’ => true, ‘char’ => true, ‘class’ => true, ‘charoff’ => true, ‘valign’ => true), ‘th’ => array(‘abbr’ => true, ‘align’ => true, ‘axis’ => true, ‘bgcolor’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘colspan’ => true, ‘headers’ => true, ‘height’ => true, ‘nowrap’ => true, ‘rowspan’ => true, ‘scope’ => true, ‘valign’ => true, ‘width’ => true), ‘thead’ => array(‘align’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘valign’ => true), ‘title’ => array(‘class’ => true), ‘tr’ => array(‘align’ => true, ‘bgcolor’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘style’ => true, ‘valign’ => true), ‘tt’ => array(‘class’ => true), ‘u’ => array(‘class’ => true), ‘ul’ => array(‘class’ => true, ‘style’ => true, ‘type’ => true), ‘ol’ => array(‘class’ => true, ‘start’ => true, ‘style’ => true, ‘type’ => true), ‘var’ => array(‘class’ => true), ‘video’ => array(‘autoplay’ => true, ‘class’ => true, ‘controls’ => true, ‘height’ => true, ‘id’ => true, ‘loop’ => true, ‘muted’ => true, ‘poster’ => true, ‘preload’ => true, ‘src’ => true, ‘style’ => true, ‘width’ => true)); 599 $allowedforumtags = array(‘address’ => array(‘class’ => true), 600 ‘a’ => array(‘class’ => true, ‘href’ => true, ‘id’ => true, ‘title’ => true, ‘rel’ => true, ‘rev’ => true, ‘name’ => true, ‘target’ => true, ‘style’ => true), 601 ‘abbr’ => array(‘class’ => true, ‘title’ => true), 602 ‘acronym’ => array(‘title’ => true, ‘class’ => true), 603 ‘article’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 604 ‘aside’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 605 ‘audio’ => array(‘autoplay’ => true, ‘class’ => true, ‘controls’ => true, ‘id’ => true, ‘loop’ => true, ‘muted’ => true, ‘poster’ => true, ‘preload’ => true, ‘src’ => true, ‘style’ => true), 606 ‘b’ => array(‘class’ => true), 607 ‘big’ => array(‘class’ => true), 608 ‘blockquote’ => array(‘id’ => true, ‘cite’ => true, ‘class’ => true, ‘lang’ => true, ‘xml:lang’ => true, ‘style’ => true), 609 ‘br’ => array(‘class’ => true), 610 ‘caption’ => array(‘align’ => true, ‘class’ => true), 611 ‘cite’ => array(‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘title’ => true), 612 ‘code’ => array(‘class’ => true, ‘style’ => true), ‘dd’ => array(‘class’ => true), 613 ‘del’ => array(‘datetime’ => true), 614 ‘details’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘open’ => true, ‘style’ => true, ‘xml:lang’ => true), 615 ‘div’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 616 ‘dl’ => array(‘class’ => true), 617 ‘dt’ => array(‘class’ => true), 618 ‘em’ => array(‘class’ => true), 619 ‘figure’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 620 ‘figcaption’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 621 ‘font’ => array(‘color’ => true, ‘face’ => true, ‘size’ => true), 622 ‘footer’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 623 ‘header’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 624 ‘hgroup’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 625 ‘h1’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), 626 ‘h2’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), 627 ‘h3’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), 628 ‘h4’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), 629 ‘h5’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), 630 ‘h6’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), 631 ‘hr’ => array(‘align’ => true, ‘class’ => true, ‘noshade’ => true, ‘size’ => true, ‘width’ => true), 632 ‘i’ => array(‘class’ => true), 633 ‘img’ => array(‘alt’ => true, ‘title’ => true, ‘align’ => true, ‘border’ => true, ‘class’ => true, ‘height’ => true, ‘hspace’ => true, ‘longdesc’ => true, ‘vspace’ => true, ‘src’ => true, ‘style’ => true, ‘width’ => true, ‘data-upload’ => true, ‘data-width’ => true, ‘data-height’ => true), 634 ‘ins’ => array(‘datetime’ => true, ‘cite’ => true), 635 ‘kbd’ => array(‘class’ => true), 636 ‘label’ => array(‘for’ => true), 637 ‘legend’ => array(‘align’ => true), 638 ‘li’ => array(‘align’ => true, ‘class’ => true, ‘id’ => true, ‘style’ => true), 639 ‘menu’ => array(‘class’ => true, ‘style’ => true, ‘type’ => true), 640 ‘nav’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 641 ‘param’ => array(‘id’ => true, ‘name’ => true, ‘type’ => true, ‘value’ => true, ‘valuetype’ => true), 642 ‘p’ => array(‘class’ => true, ‘align’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 643 ‘pre’ => array(‘class’ => true, ‘style’ => true, ‘width’ => true), ‘q’ => array(‘cite’ => true), 644 ‘s’ => array(‘class’ => true), 645 ‘section’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 646 ‘small’ => array(‘class’ => true), 647 ‘source’ => array(‘class’ => true, ‘id’ => true, ‘media’ => true, ‘src’ => true, ‘style’ => true, ‘type’ => true), 648 ‘span’ => array(‘class’ => true, ‘dir’ => true, ‘align’ => true, ‘lang’ => true, ‘style’ => true, ‘title’ => true, ‘xml:lang’ => true, ‘id’ => true), 649 ‘strike’ => array(‘class’ => true), 650 ‘strong’ => array(‘class’ => true), 651 ‘sub’ => array(‘class’ => true), 652 ‘summary’ => array(‘align’ => true, ‘class’ => true, ‘dir’ => true, ‘lang’ => true, ‘style’ => true, ‘xml:lang’ => true), 653 ‘sup’ => array(‘class’ => true), 654 ‘table’ => array(‘align’ => true, ‘bgcolor’ => true, ‘border’ => true, ‘cellpadding’ => true, ‘cellspacing’ => true, ‘class’ => true, ‘dir’ => true, ‘id’ => true, ‘rules’ => true, ‘style’ => true, ‘summary’ => true, ‘width’ => true), 655 ‘tbody’ => array(‘align’ => true, ‘char’ => true, ‘charoff’ => true, ‘valign’ => true), 656 ‘td’ => array(‘abbr’ => true, ‘align’ => true, ‘axis’ => true, ‘bgcolor’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘colspan’ => true, ‘dir’ => true, ‘headers’ => true, ‘height’ => true, ‘nowrap’ => true, ‘rowspan’ => true, ‘scope’ => true, ‘style’ => true, ‘valign’ => true, ‘width’ => true), 657 ‘tfoot’ => array(‘align’ => true, ‘char’ => true, ‘class’ => true, ‘charoff’ => true, ‘valign’ => true), 658 ‘th’ => array(‘abbr’ => true, ‘align’ => true, ‘axis’ => true, ‘bgcolor’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘colspan’ => true, ‘headers’ => true, ‘height’ => true, ‘nowrap’ => true, ‘rowspan’ => true, ‘scope’ => true, ‘valign’ => true, ‘width’ => true), 659 ‘thead’ => array(‘align’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘valign’ => true), 660 ‘title’ => array(‘class’ => true), 661 ‘tr’ => array(‘align’ => true, ‘bgcolor’ => true, ‘char’ => true, ‘charoff’ => true, ‘class’ => true, ‘style’ => true, ‘valign’ => true), 662 ‘tt’ => array(‘class’ => true), 663 ‘u’ => array(‘class’ => true), 664 ‘ul’ => array(‘class’ => true, ‘style’ => true, ‘type’ => true), 665 ‘ol’ => array(‘class’ => true, ‘start’ => true, ‘style’ => true, ‘type’ => true), 666 ‘var’ => array(‘class’ => true), 667 ‘video’ => array(‘autoplay’ => true, ‘class’ => true, ‘controls’ => true, ‘height’ => true, ‘id’ => true, ‘loop’ => true, ‘muted’ => true, ‘poster’ => true, ‘preload’ => true, ‘src’ => true, ‘style’ => true, ‘width’ => true) 668 );
Related news
The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dn' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when responding to forum threads that will execute whenever a user accesses an injected page.
The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to inject arbitrary web scripts in pages when modifying a profile signature that will execute whenever a user accesses an injected page.
The Simple:Press plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sforum_[md5 hash of the WordPress URL]' cookie value in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This would be highly complex to exploit as it would require the attacker to set the cookie a cookie for the targeted user.
The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers.
The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.
The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.
The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type.
The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page.
The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.