A high-severity bug in the WordPress Email Template Designer WP HTML Mail, which is installed in more than 20,000 websites, can lead to code injection and the distribution of persuasive phishing emails.
WordPress WP HTML Mail is a plugin for creating tailored emails, contact form alerts, and other custom messages that digital platforms send to their customers.
WP HTML Mail is compatible with WooCommerce, Ninja Forms, BuddyPress, and other popular WordPress plugins. Despite the fact that the number of websites that use it is small, many of them have large audiences, causing the vulnerability to affect numerous users.
Abusing the Flaw
As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more.
In addition, this bug can lead to a complete site takeover.
The high-severity bug in the WordPress Email Template Designer WP HTML Mail could