Thousands of WordPress Sites Affected by Plugin Vulnerability
A new severe vulnerability has been discovered in yet another WordPress template. The flaw allows for code injection on the pages running the plugin, as well as phishing through cross-site scripting.
It seems not a single month can go by without a new WordPress plugin vulnerability popping up. January is no exception to that rule, with the brand-new vulnerability discovered by researchers in WP HTML Mail - a WordPress plugin that allows users to design custom email templates.
Vulnerability Allows Code Injection
The vulnerability has been codified under the designator CVE-2022-0218 and was originally discovered by Chloe Chamberlain, a researcher with Wordfence. The CVSS score assigned to the flaw is 8.3, which places it well inside "high severity" territory.
The flaw with the WP HTML Mail plugin rests in its poor handling of REST-API routes used by the mail template plugin. The plugin includes no authentication step to access the REST-API endpoint, according to Chamberlain. This would allow a potential attacker free access to the email template's themes, including the ability to inject malicious JS that would run when the legitimate admin opens up the mail editor page.
The extent of access that the vulnerability allows is a bit frightening. A potential hacker could inject backdoor code, create new users having admin privileges, set up page redirects, and even use previously created, legitimate email templates to send out phishing emails using the victim's site branding and name.
Thousands of Websites Need to Update
The security report on the plugin flaw mentions that the WP HTML Mail plugin is compatible with other very popular plugins, including WooCommerce and Ninja Forms. According to estimations, the vulnerable plugin is installed on roughly 20 thousand websites.
The owners of all those pages are advised to immediately make sure they are running the latest, updated version of WP HTML Mail, which has the vulnerability patched out. At the time of writing, this version is 3.1.