CVE-2022-1574
📋 TL;DR
The HTML2WP WordPress plugin through version 1.0.0 allows unauthenticated attackers to upload arbitrary files (including PHP files) to the server due to missing authorization, CSRF protection, and file validation. This affects all WordPress sites running the vulnerable plugin version. Attackers can achieve remote code execution and compromise the entire website.
💻 Affected Systems
- HTML2WP WordPress Plugin
📦 What is this software?
Html2wp by Html2wp Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, malware distribution, defacement, or ransomware deployment.
Likely Case
Website takeover, backdoor installation, credential theft, and lateral movement within the hosting environment.
If Mitigated
No impact if proper file upload restrictions and authentication controls are implemented.
🎯 Exploit Status
Simple HTTP POST request to the vulnerable import endpoint with a malicious file payload. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://wpscan.com/vulnerability/c36d0ea8-bf5c-4af9-bd3d-911eb02adc14
Restart Required: No
Instructions:
1. Immediately remove the HTML2WP plugin from all WordPress installations. 2. Delete all plugin files from the /wp-content/plugins/html2wp directory. 3. No official patch exists - plugin appears abandoned.
🔧 Temporary Workarounds
Block plugin access via web server
allAdd web server rules to block access to the vulnerable plugin endpoints
# For Apache: add to .htaccess
<FilesMatch "html2wp">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: add to server block
location ~* /wp-content/plugins/html2wp {
deny all;
}
Restrict file uploads via WAF
allConfigure web application firewall to block file uploads to WordPress plugin directories
# ModSecurity rule example
SecRule REQUEST_FILENAME "@rx /wp-content/plugins/html2wp" \
"id:1001,phase:2,deny,status:403,msg:'Block HTML2WP plugin access'"
🧯 If You Can't Patch
- Disable or remove the HTML2WP plugin immediately
- Implement strict file upload restrictions at the web server level
🔍 How to Verify
Check if Vulnerable:
Check if /wp-content/plugins/html2wp directory exists and contains version 1.0.0 or earlier filesCheck Version:
grep -r "Version:" /path/to/wordpress/wp-content/plugins/html2wp/*.phpVerify Fix Applied:
Confirm the html2wp directory is completely removed from /wp-content/plugins/📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/html2wp/import.php or similar endpoints
- File uploads to plugin directories with .php extensions
- Unauthenticated requests to admin-ajax.php with html2wp actions
Network Indicators:
- POST requests to WordPress plugin paths from unauthenticated sources
- File uploads with PHP content to non-standard upload locations
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/html2wp" OR user_agent CONTAINS "html2wp") AND http_method="POST"