The WordPress WP HTML Mail plugin is susceptible to a high-severity issue that can result in code injection and the deployment of believable phishing emails. This plugin is used by over 20,000 websites and allows you to create customized emails, contact form alerts, and other messages that online platforms send to their users.
WooCommerce, Ninja Forms, BuddyPress, and other plugins are all compatible with the WP HTML Mail. While the number of websites that utilize it isn’t big, many of them have a broad audience, causing the problem to impact a large number of people. According to research by Wordfence’s Threat Intelligence team, an unauthenticated actor might use the vulnerability labeled “CVE-2022–0218” to change the email template to include arbitrary material. Malicious hackers can also utilize the same flaw to send phishing emails to anyone who has enrolled on the hacked sites.
The issue is with how the plugin registers two REST-API pathways for retrieving and updating email template information. Unwanted users can request and execute the functions since these API endpoints aren’t appropriately secured from unauthorized access.
On December 23, 2021, Wordfence detected and reported the flaw to the plugin’s owner, but they didn’t hear back until January 10, 2022. With the release of version 3.1 on January 13, 2022, a security patch that remedied the weakness was issued. As a result, all WordPress site owners and administrators should make sure they have the newest version of the ‘WP HTML Mail’ plugin installed.