CVE-2022-4028

Name of the Vulnerable Software and Affected Versions Simple:Press plugin for WordPress versions up to, and including, 6.8

Description The issue allows for Stored Cross-Site Scripting via the postitem parameter when modifying a profile signature. This is due to insufficient input sanitization and output escaping, making it possible to inject object and embed tags. Authenticated attackers with minimal permissions can inject arbitrary web scripts in pages, which will execute when a user accesses an injected page.

Recommendations For versions up to, and including, 6.8, consider disabling the profile signature modification feature until a patch is available to prevent exploitation. Restrict access to the postitem parameter to minimize the risk of arbitrary web script injection. Avoid using the postitem parameter in the profile-save action until the issue is resolved.