A Vulnerability in the WordPress Plugin Can Expose Users of 20k Websites to Phishing Attacks

A high-severity bug in the WordPress Email Template Designer WP HTML Mail, which is installed in more than 20,000 websites, can lead to code injection and the distribution of persuasive phishing emails.

WordPress WP HTML Mail is a plugin for creating tailored emails, contact form alerts, and other custom messages that digital platforms send to their customers.

WP HTML Mail is compatible with WooCommerce, Ninja Forms, BuddyPress, and other popular WordPress plugins. Despite the fact that the number of websites that use it is small, many of them have large audiences, causing the vulnerability to affect numerous users.

Abusing the Flaw

The vulnerability, discovered by the Wordfence Threat Intelligence team and tracked as CVE-2022-0218, could be exploited by an unauthenticated threat actor to inject malicious JavaScript into the mail template that would execute whenever a site administrator accessed the HTML mail editor.

As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more.

Source

In addition, this bug can lead to a complete site takeover.

The high-severity bug in the WordPress Email Template Designer WP HTML Mail could

Read More: https://heimdalsecurity.com/blog/a-vulnerability-in-the-wordpress-plugin-can-expose-users-of-20k-websites-to-phishing-attacks/