CVE-2022-1574

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://wpscan.com/vulnerability/c36d0ea8-bf5c-4af9-bd3d-911eb02adc14	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:html2wp_project:html2wp:*:*:*:*:*:wordpress:*:*

History

07 Nov 2023, 03:42

Type	Values Removed	Values Added
CWE	CWE-862 CWE-352

27 Jun 2023, 15:57

Type	Values Removed	Values Added
CWE	~~CWE-434~~	CWE-862 CWE-352

Information

Published : 2022-06-27 09:15

Updated : 2023-11-07 03:42

NVD link : CVE-2022-1574

Mitre link : CVE-2022-1574

JSON object : View

Products Affected

html2wp_project

html2wp

CWE

No CWE.

9.8 /10