cbcvebase.
CVE-2022-1574
published 2022-06-27

CVE-2022-1574: The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.87%
95.6th percentile
The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

Affected

1 ranges
VendorProductVersion rangeFixed in
html2wp_projecthtml2wp<= 1.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=html2wp-settings
path/wp-content/uploads/html2wp/
commandPOST /wp-admin/admin.php?page=html2wp-settings with multipart/form-data field name="local_importing[]" and a .php filename
  • Unauthenticated POST to /wp-admin/admin.php?page=html2wp-settings with a multipart file upload (field: local_importing[]) containing a PHP file should trigger a 302 redirect; the uploaded file is then accessible at /wp-content/uploads/html2wp/<filename>.php returning HTTP 200.
  • Monitor for multipart/form-data POST requests to the html2wp-settings admin page that include a PHP (or other executable) file in the local_importing[] field, especially from unauthenticated or low-privilege sessions (no CSRF token required).
  • Alert on new PHP files appearing under the wp-content/uploads/html2wp/ directory, as this is the drop location for files uploaded via exploitation of this vulnerability.
  • The multipart boundary used in the proof-of-concept is ---------------------------7816508136577551742878603990; while not a reliable long-term signature, it may appear in active exploit traffic.
  • ·The vulnerability affects HTML2WP plugin versions up to and including 1.0.0 only; patched or removed installations are not affected.
  • ·The Nuclei template uses a randomised filename ({{randstr}}.php) for the uploaded webshell, so the exact filename will vary per exploit attempt and cannot be used as a static IOC.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.