CVE-2022-1572
HIGHHTML2WP < 1.0.0 - Authenticated Arbitrary File Deletion via Unprotected AJAX Action
Title source: llmDescription
The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/9afd1805-d449-4551-986a-f92cb47c95c5
Scores
CVSS v3
8.1
EPSS
0.0053
EPSS Percentile
41.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-352
CWE-862
Status
published
Products (1)
html2wp_project/html2wp
< 1.0.0
Published
Jun 27, 2022
Tracked Since
Feb 18, 2026