CVE-2022-1572

🗓️ 27 Jun 2022 08:56:52Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 81 Views🌐 WEB

The HTML2WP WordPress plugin lacks authorization and CSRF checks in an AJAX action, enabling authenticated users to delete arbitrary files

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2022-1572	27 Jun 202209:15	–	attackerkb
Circl	CVE-2022-1572	27 Jun 202212:40	–	circl
CNNVD	WordPress plugin HTML2WP 安全漏洞	27 Jun 202200:00	–	cnnvd
CNVD	WordPress HTML2WP plugin arbitrary file deletion vulnerability	30 Jun 202200:00	–	cnvd
Cvelist	CVE-2022-1572 HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion	27 Jun 202208:56	–	cvelist
EUVD	EUVD-2022-24863	3 Oct 202520:07	–	euvd
NVD	CVE-2022-1572	27 Jun 202209:15	–	nvd
Patchstack	WordPress HTML2WP plugin <= 1.0.0 - Authenticated Arbitrary File Deletion vulnerability	2 Jun 202200:00	–	patchstack
Prion	Cross site request forgery (csrf)	27 Jun 202209:15	–	prion
Positive Technologies	PT-2022-13971 · WordPress · Html2Wp	27 Jun 202200:00	–	ptsecurity

NVD

Vulners

Node

html2wp_project html2wpRange≤1.0.0wordpress

[
  {
    "vendor": "Unknown",
    "product": "HTML2WP",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "1.0.0"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/9afd1805-d449-4551-986a-f92cb47c95c5

Parameter	Position	Path	Description	CWE
type	request body	wp-admin/admin-ajax.php	AJAX action vulnerability allowing authenticated users to delete arbitrary files due to missing authorization/CSRF checks (HTML2WP plugin).	CWE-352, CWE-862
path	request body	wp-admin/admin-ajax.php	AJAX action vulnerability allowing authenticated users to delete arbitrary files due to missing authorization/CSRF checks (HTML2WP plugin).	CWE-352, CWE-862

21 Nov 2024 06:40Current

8High risk

Vulners AI Score8

CVSS 25.5

CVSS 3.18.1

EPSS0.00279