CVE-2022-1572
📋 TL;DR
The HTML2WP WordPress plugin through version 1.0.0 contains an authorization bypass vulnerability in an AJAX endpoint that allows any authenticated user (including low-privilege subscribers) to delete arbitrary files on the server. This affects all WordPress sites running the vulnerable plugin version. Attackers can exploit this to delete critical system files, potentially causing service disruption or complete site compromise.
💻 Affected Systems
- HTML2WP WordPress Plugin
📦 What is this software?
Html2wp by Html2wp Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete critical WordPress core files, configuration files, or operating system files, leading to complete site destruction, data loss, and potential privilege escalation to full server compromise.
Likely Case
Attackers delete WordPress configuration files (wp-config.php) or plugin files, causing site downtime, data exposure through configuration leaks, and requiring full site restoration from backups.
If Mitigated
With proper file permissions and WordPress hardening, impact is limited to files within the web directory, still potentially causing site functionality issues but preventing system-wide damage.
🎯 Exploit Status
Exploitation requires authenticated access but only subscriber-level privileges. The vulnerability is well-documented in security advisories with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.0.0 (plugin appears abandoned, no fixed version released)
Vendor Advisory: https://wpscan.com/vulnerability/9afd1805-d449-4551-986a-f92cb47c95c5
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Locate HTML2WP plugin. 4. Click 'Deactivate' then 'Delete'. 5. Remove any remaining plugin files from wp-content/plugins/html2wp directory via FTP/SFTP if necessary.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allAdd code to WordPress theme's functions.php to remove the vulnerable AJAX action hook
add_action('init', function() { remove_action('wp_ajax_html2wp_delete_file', 'html2wp_delete_file_callback'); });
Restrict file deletion permissions
linuxModify web server configuration to restrict file deletion operations
# For Apache: add to .htaccess
<FilesMatch "\.(php|inc|config|sql)$">
Deny from all
</FilesMatch>
# For Nginx: add to server block
location ~*\.(php|inc|config|sql)$ {
deny all;
}
🧯 If You Can't Patch
- Immediately disable or remove the HTML2WP plugin from all WordPress installations
- Implement strict file permission controls (755 for directories, 644 for files) and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check if HTML2WP plugin is installed and activated in WordPress admin panel under Plugins → Installed PluginsCheck Version:
wp plugin list --name=html2wp --field=version (if WP-CLI installed) or check plugin header in wp-content/plugins/html2wp/html2wp.phpVerify Fix Applied:
Confirm HTML2WP plugin is completely removed from wp-content/plugins directory and no longer appears in WordPress plugins list📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=html2wp_delete_file parameter
- File deletion events in web server logs for unexpected files
- Failed file operations or permission errors in WordPress debug logs
Network Indicators:
- HTTP POST requests containing 'html2wp_delete_file' in AJAX calls
- Unusual file deletion patterns from authenticated but low-privilege users
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "html2wp_delete_file")