A serious code injection vulnerability riddled the WordPress HTML Mail plugin, thus potentially putting thousands of websites at risk. Thankfully, the vendors have patched the flaw. Users should update their websites with the latest plugin version to avoid risk of exploit.
HTML Mail Plugin Vulnerability
According to the latest blog post from team Wordfence, the HTML Mail WordPress plugin had a high-severity code injection vulnerability. This vulnerability, identified as CVE-2022-0218, achieved a CVSS score of 8.3.
Specifically, the flaw existed due to an unsecured REST API endpoint that an unauthenticated attacker could exploit. The plugin uses those REST API routes to retrieve or update email template settings.
However, an adversary could gain unauthorized access to the endpoint and meddle with email template settings. Describing the vulnerability, the researchers stated,
More specifically, the plugin registers the
/themesettingsendpoint, which calls the
saveThemeSettingsfunction or the
getThemeSettingsfunction depending on the request method. The REST-API endpoint did use the
permission_callbackfunction, however, it was set to
__return_truewhich meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.
Such exploitation would allow the attacker to send phishing emails.
In a real-time scenario, such phishing attacks could be more damaging since the emails would arrive from legit senders. Hence, victims would never get an idea of the maliciousness of the email content.
Likewise, the worst exploitation of this vulnerability would allow devastating code injection attacks for site admins.
After discovering this vulnerability, Wordfence reported the matter to the developers of the plugin in question.
Consequently, the developers rolled out the HTML Mail plugin version 3.1 with the patches.
The plugin currently boasts over 20,000 active downloads, indicating the websites at risk due to the plugin’s flaw. Hence, all site admins using the plugin should rush to update their websites to the latest patched plugin version.
Last modified: January 25, 2022