The WordPress HTML Mail plugin is vulnerable to a serious flaw that could allow an attacker to execute code and distribute convincing phishing emails.
The WordPress HTML Mail plugin is a tool that enables businesses to create custom email and contact form notifications. The plugin is compatible with BuddyPress, Ninja Forms, and WooCommerce.
The flawed WordPress plugin is installed on over 20,000 sites and can affect a significant number of Internet users.
According to a report by the Threat Intelligence team of Wordfence, an unauthenticated attacker could exploit the CVE-2022-0218 flaw to modify the email template’s contents to contain arbitrary data.
The same vulnerability can also be exploited to send phishing emails to anyone who has already registered on compromised websites.
The issue lies in the way the WordPress HTML Mail plugin registers its REST-API routes and API endpoints aren’t adequately protected. This means unauthenticated users could easily access the API’s functions.
“The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings,” Wordfence teams explained.
This vulnerability could allow an attacker to modify the site’s settings, add new admin accounts, and inject backdoors into the WP theme.
Wordfence discovered the vulnerability in the HTML Mail plugin on December 23, 2021. The security update released on January 13, 2022, addressed the vulnerability in version 3.1.