6 matches found
CVE-2022-4027
The CVE-2022-4027 entry concerns the WordPress Simple:Press plugin (versions up to 6.8) with a stored XSS vulnerability in the forum reply flow via the postitem parameter. The root cause is insufficient input sanitization and output escaping, allowing injection of object/embed tags. Unauthenticat...
CVE-2022-4028
The CVE-2022-4028 describes a Stored XSS vulnerability in the WordPress Simple:Press plugin (up to and including version 6.8) triggered by the postitem parameter during profile-signature modification. Root cause: insufficient input sanitization and output escaping enables injection of object/embe...
CVE-2022-4031
The CVE-2022-4031 entry concerns the Simple:Press WordPress plugin (versions up to and including 6.8) and describes an arbitrary file modification vulnerability via the file parameter, where an attacker with high privileges (e.g., admin) can supply filesystem paths to modify files outside the int...
CVE-2022-4029
CVE-2022-4029 affects the WordPress Simple:Press plugin up to version 6.8. The vulnerability is a Reflected Cross-Site Scripting via the cookie value named like sforum_[md5 hash of the WordPress URL], caused by insufficient input sanitization and output escaping. This enables unauthenticated atta...
CVE-2022-4030
The CVE-2022-4030 entry concerns the WordPress Simple:Press plugin (versions up to 6.8). It describes a path-traversal flaw in the file parameter used during user avatar deletion, which could allow an attacker with minimal privileges (e.g., a subscriber) to reference and delete arbitrary server f...
CVE-2020-36706
CVE-2020-36706 affects the Simple:Press WordPress Forum Plugin. The issue is missing file type validation in the sf-uploader.php uploader (~/admin/resources/jscript/ajaxupload/sf-uploader.php), allowing arbitrary file uploads in versions up to 6.6.0 and potentially enabling remote code execution ...