20,000 WordPress sites found to be at risk of phishing due to vulnerability in WP HTML Mail plugin

news

The WP HTML Mail plugin for WordPress, which is installed on more than 20,000 sites, has been found to have a high severity vulnerability that can lead to code injection and distribution of deceptive phishing emails.

Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin
On December 23, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “WordPress Email T...

On December 23, 2021, the Wordfence Threat Intelligence team announced the responsible disclosure of a vulnerability found in the WordPress plugin “WordPress Email Template Designer – WP HTML Mail, a WordPress plugin installed on over 20,000 sites, has initiated a responsible disclosure process for a vulnerability it discovered. The vulnerability allows an unauthenticated attacker to inject malicious JavaScript that is executed every time a site administrator accesses the template editor. The vulnerability also allowed the attacker to modify the email template to include arbitrary data, which could then be used to launch phishing attacks against anyone who received an email from the compromised site.

“WP HTML Mail” is a plugin used to design custom emails, contact form notifications, and generally customized messages that online platforms send to their users.

Because this plugin is compatible with WooCommerce, Ninja Forms, BuddyPress, etc., and because there are many sites that use this plugin, this flaw affects a significant number of Internet users.

According to a report from Wordfence’s Threat Intelligence team, an attacker could use the vulnerability tracked as “CVE-2022-0218” to modify an email template to include arbitrary data of the attacker’s choosing.

In addition, the same vulnerability can be used to send phishing emails to people who have registered with the compromised site.

Unprotected API endpoint

The problem lies in the fact that the plugin registers two REST-API routes for retrieving and updating email template settings.

Because these API endpoints are not properly protected from unauthorized access, unauthenticated users can call and execute functions.

Wordfence explains this in detail in their report.

The plugin registers the /themesettings endpoint and calls the saveThemeSettings function or getThemeSettings function depending on the request method.

The REST-API endpoint was using the permission_callback function, which was set to __return_true, meaning that no authentication was required to execute the function.

So, any user could run the REST-API endpoint to save and retrieve email theme settings.

Besides the possibility of phishing attacks, an adversary can inject malicious JavaScript into the email template and cause it to execute when the site administrator accesses the HTML email editor.

This could open the door to adding new admin accounts, redirecting site visitors to phishing sites, injecting backdoors into theme files, or even a complete takeover of the site.

Find and fix vulnerabilities

Wordfence discovered the vulnerability and disclosed it to the plugin developer on December 23, 2021, but did not receive a response until January 10, 2022.

Also, a security update for this vulnerability, version 3.1, was released on January 13, 2022.

For this reason, it is recommended that all WordPress site owners and administrators make sure they are running the latest version of the “WP HTML Mail” plugin.

Comments

タイトルとURLをコピーしました