A Vulnerability in the WordPress Plugin Can Expose Users of 20k Websites to Phishing Attacks
All WordPress Admins Running WP HTML Mail Plugin Are Urged to Update It to Version 3.1 ASAP.
A high-severity bug in the WordPress Email Template Designer WP HTML Mail, which is installed in more than 20,000 websites, can lead to code injection and the distribution of persuasive phishing emails.
WordPress WP HTML Mail is a plugin for creating tailored emails, contact form alerts, and other custom messages that digital platforms send to their customers.
WP HTML Mail is compatible with WooCommerce, Ninja Forms, BuddyPress, and other popular WordPress plugins. Despite the fact that the number of websites that use it is small, many of them have large audiences, causing the vulnerability to affect numerous users.
Abusing the Flaw
As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more.
In addition, this bug can lead to a complete site takeover.
The high-severity bug in the WordPress Email Template Designer WP HTML Mail could also enable an attacker to alter the email template to include arbitrary data, which could be used to launch a phishing attack against anyone who got email messages from the compromised website.
The issue is caused by the plugin’s registration of two REST-API routes used for retrieving and updating email template settings.
As explained by BleepingComputer, unauthenticated users could access these API endpoints because they were “insecurely implemented.”
The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method.
The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions.
Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.
On December 23, 2021, Wordfence discovered and reported the weakness to the plugin’s developer, but they didn’t hear back until January 10, 2022. A security update to fix the vulnerability was released on January 13, 2022.
The Wordfence Threat Intelligence Team advises all WordPress administrators and owners running the email template designer plugin to update it to version 3.1 as quickly as possible.