WordPress Plugin Flaw Opens 20,000 Sites To Phishing

WordPress Plugin Flaw Opens 20,000 Sites To Phishing

The WordPress HTML Mail plugin is vulnerable to a serious flaw that could allow an attacker to execute code and distribute convincing phishing emails.

The WordPress HTML Mail plugin is a tool that enables businesses to create custom email and contact form notifications. The plugin is compatible with BuddyPress, Ninja Forms, and WooCommerce.

The flawed WordPress plugin is installed on over 20,000 sites and can affect a significant number of Internet users.

According to a report by the Threat Intelligence team of Wordfence, an unauthenticated attacker could exploit the CVE-2022-0218 flaw to modify the email template’s contents to contain arbitrary data.

The same vulnerability can also be exploited to send phishing emails to anyone who has already registered on compromised websites.

The issue lies in the way the WordPress HTML Mail plugin registers its REST-API routes and API endpoints aren’t adequately protected. This means unauthenticated users could easily access the API’s functions.

“The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings,” Wordfence teams explained.

Aside from phishing, an attacker could also inject JavaScript into the mail template to execute arbitrary code.

This vulnerability could allow an attacker to modify the site’s settings, add new admin accounts, and inject backdoors into the WP theme.

Wordfence discovered the vulnerability in the HTML Mail plugin on December 23, 2021. The security update released on January 13, 2022, addressed the vulnerability in version 3.1.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.