The Wordfence Threat Intelligence team disclosed an unauthenticated XSS vulnerability in the Email Template Designer – WP HTML Mail WordPress plugin (CVE-2022-0218). The plugin is installed on over 20,000 sites making the risk quite significant.
WordPress Email Template Designer – WP HTML Mail is a WordPress plugin that is used to create custom-designed WordPress emails for WooCommerce and Easy Digital Downloads (EDD) transactional emails, contact form notifications, WordPress core emails, Ninja Forms, BuddyPress, and many more.
Furthermore, this vulnerability also allows the attacker to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.
The exploit makes use of a vulnerability found in the plugin feature that registers two REST-API routes which are used to retrieve email template settings and update email template settings for unauthenticated users to access these endpoints.
Full disclosure details were shared with the developer, Codemiq, on January 10, 2022, with a patch to the compromised WordPress plugin released on January 13, 2022.
The recommended minimum version for Email Template Designer – WP HTML Mail WordPress plugin is now version 3.1.
You can find more details about the Vulnerability in the Email Template Designer – WP HTML Mail WordPress plugin from this Wordfence including full details about the insecure code.