Plugin “Email Template Designer” tears security hole in WordPress

Researchers at the security company Wordfence estimate the risk of a security vulnerability in the “WordPress Email Template Designer – WP HTML Mail” plugin high a (CVE-2022-0218, CVSS 8.3). Attackers could abuse the vulnerability without logging into WordPress to inject malicious code. The plugin, which is installed in more than 20,000 WordPress instances, is used to create transactional emails that are customized for shop systems such as WooCommerce.

Attackers were also able to store their own email templates containing malicious JavaScript code without logging in via the insufficiently secured plugin API. If the administrator then accesses this with the e-mail template editor or the HTML e-mail editor, this will be executed. In addition, the attackers could change e-mail templates in such a way that the WordPress site sends phishing e-mails.

Such cross-site scripting vulnerabilities could be exploited, for example, to inject code that creates new (administrative) users, redirects victims to malicious websites, builds backdoors into the theme or plugin files, and much more, the researchers at explain WordFence in their security advisory. This means that unregistered attackers could gain administrative access to WordPress sites with vulnerable plugins after successfully exploiting the vulnerability, the security researchers continue.

The developers have closed the security gap in version 3.1 of the “WordPress Email Template Designer – WP HTML Mail” plugin. WordPress administrators should check whether they are using the plugin and update to the bug-fixed version as soon as possible.

(dmk)

To home page