The WordPress WP HTML Mail plugin is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails. It is used by over 20,000 sites.

‘WP HTML Mail’ is a plugin that allows you to create custom emails, contact form notifications. And other messages that online platforms send to their users.

WooCommerce, Ninja Forms, BuddyPress, and other plugins are all compatible with the plugin. While the number of sites that use it isn’t large, many of them have a large audience. Causing the flaw to affect a large number of people.

According to a report by Wordfence’s Threat Intelligence team. An unauthenticated actor could use the flaw dubbed “CVE-2022-0218” to change the email template to contain arbitrary data.

Threat actors can also use the same flaw to send phishing emails to anyone who has registered on the hacked sites.

Unsecured API endpoints

The issue is with how the plugin registers two REST-API routes for retrieving and updating email template settings.

Unauthorized users can call and execute the functions because these API endpoints aren’t adequately protected from unauthorized access.

As Wordfence explains in detail in its report:

The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method.

The REST-API endpoint did use the permission_callback function. However, it was set to __return_true which meant that no authentication was required to execute the functions.

Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.

Aside from phishing attacks, an adversary could inject malicious JavaScript into the email template, which would run whenever the site administrator opened the HTML mail editor.

This could lead to the creation of new admin accounts, the redirection of site visitors to phishing sites, the injection of backdoors into theme files, and even the complete takeover of the site.

Fixes

On December 23, 2021, Wordfence discovered and reported the vulnerability to the plugin’s developer. But they didn’t hear back until January 10, 2022.

With the release of version 3.1 on January 13, 2022, a security update that addressed the vulnerability was released.

As a result, all WordPress site owners and administrators should make sure they have the latest version of the ‘WP HTML Mail’ plugin installed.

You may also like:

WordPress 5.8.3 security update addresses SQL injection and XSS issues

WordPress plug-in flaws adversely impact 3 million websites