White Hat Institute

A bug in a WordPress plugin leaves 20,000 websites at risk of phishing attacks

Retrieved from cloudways.com

The WordPress WP HTML Mail plugin is susceptible to a high-severity issue that can result in code injection and the deployment of believable phishing emails. This plugin is used by over 20,000 websites and allows you to create customized emails, contact form alerts, and other messages that online platforms send to their users.

WooCommerce, Ninja Forms, BuddyPress, and other plugins are all compatible with the WP HTML Mail. While the number of websites that utilize it isn’t big, many of them have a broad audience, causing the problem to impact a large number of people. According to research by Wordfence’s Threat Intelligence team, an unauthenticated actor might use the vulnerability labeled “CVE-2022–0218” to change the email template to include arbitrary material. Malicious hackers can also utilize the same flaw to send phishing emails to anyone who has enrolled on the hacked sites.

The issue is with how the plugin registers two REST-API pathways for retrieving and updating email template information. Unwanted users can request and execute the functions since these API endpoints aren’t appropriately secured from unauthorized access.

Aside from phishing assaults, an attacker might inject harmful JavaScript into the email template, which would run whenever the site administrator opened the HTML mail editor. This might lead to the creation of new admin accounts, the redirection of web users to phishing sites, the injection of backdoors into theme files, and even the entire control of the website.

On December 23, 2021, Wordfence detected and reported the flaw to the plugin’s owner, but they didn’t hear back until January 10, 2022. With the release of version 3.1 on January 13, 2022, a security patch that remedied the weakness was issued. As a result, all WordPress site owners and administrators should make sure they have the newest version of the ‘WP HTML Mail’ plugin installed.