20K WordPress Sites Exposed by Insecure Plugin REST-API

  • Becky
  • published date: 2022-01-21 13:19:00 UTC

The WordPress WP HTML Mail plugin for personalized emails is vulnerable to code injection and phishing due to XSS.

<div class="c-article__content js-reading-content"> <p>More than 20,000 WordPress sites are vulnerable to malicious code injection, phishing scams and more as the result of a high-severity cross-site scripting (XSS) bug discovered in the WordPress Email Template Designer – WP HTML Mail, a plugin for designing custom emails.</p> <p>The new vulnerability (CVE-2022-0218, CVSS score 8.3) was found by Wordfence researcher Chloe Chamberland, and was caused by a <a href="" target="_blank" rel="noopener">faulty configuration in the REST-API routes</a> used to update the template and change settings, Chamberland explained in the disclosure.<a href=""><img loading="lazy" class="alignright wp-image-177588 size-full" src="" alt="Password Management Webinar" width="300" height="250"></a> Simply put, there was no authentication required to access the REST-API endpoint.</p> <p>“Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings,” Chamberland wrote. “[They] could inject malicious JavaScript into the mail template that would execute anytime a site administrator accessed the HTML mail editor.”</p> <p> </p> <p>That means threat actors could add new users with administrative credentials, inject backdoors, implement site redirects, and use legitimate site templates to send phishing emails, among many other things — even site takeovers.</p> <p>“Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited,” Chamberland said.</p> <h2><strong>Plugin Compatible with WooCommerce, Ninja Forms &amp; Buddy Press </strong></h2> <p>The plugin is installed across 20,000 sites and is compatible with other plugins run by WordPress sites with large followings like eCommerce platform <a href="" target="_blank" rel="noopener">WooCommerce</a>, online form builder Ninja Forms and community builder plugin BuddyPress, Chamberland reported.</p> <p>“We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.1 at the time of this publication,” Chamberland added.</p> <p>This latest disclosure comes just a week after Risk Based Security released their findings that the number of <a href="" target="_blank" rel="noopener">WordPress plugin vulnerabilities</a> exploded by triple digits in 2021.</p> <p>In the same week, three <a href="" target="_blank" rel="noopener">WordPress plugins</a> were reported with the same bug — exposing 84,000 sites running eCommerce add-ons to full site takeovers.</p> <p>WordPress site administrators are advised by Chamberland to ensure they’re running the most up-to-date version, <a href="" target="_blank" rel="noopener">WordPress Email Template Designer — WP HTML Mail</a> version 3.1.</p> <p>“If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover,” Chamberland cautioned.</p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="20K WordPress Sites Exposed by Insecure Plugin REST-API" data-url="" data-counters="no" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="">Web Security</a></li> </ul> </div> </div> </footer> </div>