CVE-2022-1572

Name of the Vulnerable Software and Affected Versions HTML2WP WordPress plugin version 1.0.0

Description The issue is related to the lack of authorisation and CSRF checks in an AJAX action within the HTML2WP WordPress plugin. This could allow any authenticated user, including those with a subscriber role, to delete arbitrary files.

Recommendations For version 1.0.0, consider disabling the AJAX action until a patch is available to prevent potential exploitation. Restrict access to the plugin's functionality for lower-privileged users such as subscribers to minimize the risk of arbitrary file deletion. At the moment, there is no information about a newer version that contains a fix for this vulnerability.