CVE-2022-4030

Name of the Vulnerable Software and Affected Versions Simple:Press plugin for WordPress versions up to, and including, 6.8

Description The issue allows attackers with minimal permissions, such as a subscriber, to manipulate the file parameter during user avatar deletion, enabling them to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file, allowing an attacker to configure the site and achieve remote code execution.

Recommendations For versions up to, and including, 6.8, consider disabling the user avatar deletion feature until a patch is available. Restrict access to the file parameter to minimize the risk of exploitation. Avoid using the file parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.