CVE-2022-1574

CRITICAL EXPLOITED NUCLEI

Html2wp < 1.0.0 - Missing Authorization

Title source: rule

Description

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

Nuclei Templates (1)

WordPress HTML2WP <=1.0.0 - Arbitrary File Upload

CRITICALVERIFIEDby theamanrawat

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/c36d0ea8-bf5c-4af9-bd3d-911eb02adc14

Scores

CVSS v3 9.8

EPSS 0.7338

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-11-18

CWE

CWE-862 CWE-352

Status published

Products (1)

html2wp_project/html2wp < 1.0.0

Published Jun 27, 2022

Tracked Since Feb 18, 2026