The WordPress WP HTML Mail plugin, put in in over 20,000 websites, is weak to a high-severity flaw that may result in code injection and the distribution of convincing phishing emails.
‘WP HTML Mail’ is a plugin used for designing customized emails, contact kind notifications, and usually tailor-made messages that on-line platforms ship to their viewers.
The plugin is suitable with WooCommerce, Ninja Kinds, BuddyPress, and others. Whereas the variety of websites utilizing it is not giant, many have a big viewers, permitting the flaw to have an effect on a big variety of Web customers.
In line with a report by Wordfence’s Menace Intelligence staff, an unauthenticated actor may leverage the flaw tracked as “CVE-2022-0218” to switch the e-mail template to comprise arbitrary information of the attacker’s selecting.
Moreover, menace actors can use the identical vulnerability to ship phishing emails to anybody registered on the compromised websites.
Unprotected API endpoints
The issue lies within the plugin’s registration of two REST-API routes used to retrieve and replace e-mail template settings.
These API endpoints aren’t adequately shielded from unauthorized entry, so even unauthenticated customers can name and execute the capabilities.
As Wordfence explains intimately in its report:
The plugin registers the /themesettings endpoint, which calls the saveThemeSettings operate or the getThemeSettings operate relying on the request methodology.
The REST-API endpoint did use the permission_callback operate, nonetheless, it was set to __return_true which meant that no authentication was required to execute the capabilities.
Due to this fact, any consumer had entry to execute the REST-API endpoint to avoid wasting the e-mail’s theme settings or retrieve the e-mail’s theme settings.
This might doubtlessly open the way in which to including new admin accounts, redirect the positioning’s guests to phishing websites, inject backdoors into the theme recordsdata, and even full website takeover.
Disclosure and repair
Wordfence found and disclosed the vulnerability to the plugin’s developer on December 23, 2021, however they solely received a response on January 10, 2022.
The safety replace that addressed the vulnerability got here on January 13, 2022, with the discharge of model 3.1.
As such, all WordPress website homeowners and directors are suggested to confirm that they are working the most recent model of the ‘WP HTML Mail’ plugin.