CVE-2022-1572: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-1572 affects the HTML2WP WordPress plugin version 1.0.0 and earlier. This security flaw is related to missing authorization and CSRF checks in an AJAX action, which is accessible to any authenticated users including those with subscriber-level privileges. The vulnerability was publicly disclosed on June 2, 2022, and received a CVSS score of 8.1 (high severity) (WPScan).

The vulnerability stems from improper authorization controls in the plugin's AJAX action handler. The affected endpoint 'html_actions' lacks proper authentication and CSRF protection mechanisms, making it accessible to any authenticated user regardless of their privilege level. This security issue is classified under CWE-862 (Missing Authorization) and falls into the OWASP Top 10 category A5: Broken Access Control (WPScan).

When exploited, this vulnerability allows authenticated users with minimal privileges (such as subscribers) to delete arbitrary files from the WordPress installation. This could lead to site disruption and potential data loss, as attackers can target critical system files (WPScan).

As of the last update, there is no known fix available for this vulnerability. Users of the HTML2WP plugin should consider either removing the plugin or implementing additional security controls to restrict access to the affected AJAX endpoint (WPScan).