CVE-2022-1572

CWE-352Cross-Site Request Forgery (CSRF)CWE-862Missing AuthorizationCWE-8335 documents5 sources
Severity
8.1HIGH
EPSS
0.2%
top 56.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Html2wpHtml2wp Project Html2wp
Timeline
PublishedJun 27
Latest updateJun 20

Description

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

CVEListV5unknown/html2wp1.0.0

🔴Vulnerability Details

2
GHSA
GHSA-c938-72w7-26mv: The HTML2WP WordPress plugin through 12022-06-28
CVEList
HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion2022-06-27

📋Vendor Advisories

1
Red Hat
kernel: net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work2024-06-20

🕵️Threat Intelligence

1
Talos
Vulnerability Spotlight: Command injection vulnerabilities in Robustel cellular router2022-06-30
CVE-2022-1572 (HIGH CVSS 8.1) | The HTML2WP WordPress plugin throug | cvebase.io