exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting

WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting
Posted Jan 19, 2022
Authored by Chloe Chamberland | Site wordfence.com

WordPress Email Template Designer – WP HTML Mail plugin versions 3.0.9 and below suffer from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2022-0218
SHA-256 | 2daac954d0f1c688550129f35862a338821ee9c20becb99aa75ebc8c3fabb72e

WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting

Change Mirror Download
Exploit makes it possible for unauthenticated attackers to achieve complete site takeover.

On December 23, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “WordPress Email Template Designer – WP HTML Mail”, a WordPress plugin that is installed on over 20,000 sites. This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor. This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.

We sent the full disclosure details to the developer on January 10, 2022, after multiple attempts to contact the developer and eventually receiving a response. The developer quickly acknowledged the report and released a patch on January 13, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “WordPress Email Template Designer – WP HTML Mail”, which is version 3.1 at the time of this publication.

This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWHDpL75Z3_XW4BV8g54nSzDBW7RdXLG4DvH44N31NNzS5js6pV3Zsc37CgClmW2MbXKP1qGwNjW4jBH7-6ZVxShW6Lvyzw7xS90wW7Pj_kV20YJL6W9gr1v15wqdHCW62mCFw6CgLmDN37XHLx8BCshW41WbRV7-4L_gW3bxWBV25mHz1W3KMc066ZhQSYW1LvgN42411V8W55h1_H6hxhTxW2bRqLF47PRK_W5lgzmq1MSksKVvWl-B5Q4pBNW359SM860B8RxN1n59qWGtQttW2DlkJ64tZCVvV9BvD_2ylV4mW71kLBZ47rgbnW58XHc-5jBt2sW26BWFT1cCD6xW7vlbvr7t7-F3N5_TslrJMNvZW71ydcY6NmCzRW4pzKQ52TkMLXW15LPKz1KqSqqW8B3YpV8wxdBQW1b_h1b69r2gHW6D8PdB3GLMMfW6s3jhD5HPY5XW1xR0fr79Sb6B31Mp1 ) Or you can read the full post in this email.

Description: Unprotected REST-API Endpoint to Unauthenticated Stored Cross-Site Scripting and Data Modification

Affected Plugin: WordPress Email Template Designer – WP HTML Mail

Plugin Slug: wp-html-mail

Plugin Developer: codemiq

Affected Versions: <= 3.0.9

CVE ID: CVE-2022-0218

CVSS Score: 8.3 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Chloe Chamberland

Fully Patched Version: 3.1

WP HTML Mail is a WordPress plugin developed to make designing custom emails simpler for WordPress site owners. It is compatible with various WordPress plugins like WooCommerce, Ninja Forms, BuddyPress, and more. The plugin registers two REST-API routes which are used to retrieve email template settings and update email template settings. Unfortunately, these were insecurely implemented making it possible for unauthenticated users to access these endpoints.

More specifically, the plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email's theme settings.

[Please read the full article here (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWHDpL75Z3_XW4BV8g54nSzDBW7RdXLG4DvH44N31NNzS5js6pV3Zsc37CgClmW2MbXKP1qGwNjW4jBH7-6ZVxShW6Lvyzw7xS90wW7Pj_kV20YJL6W9gr1v15wqdHCW62mCFw6CgLmDN37XHLx8BCshW41WbRV7-4L_gW3bxWBV25mHz1W3KMc066ZhQSYW1LvgN42411V8W55h1_H6hxhTxW2bRqLF47PRK_W5lgzmq1MSksKVvWl-B5Q4pBNW359SM860B8RxN1n59qWGtQttW2DlkJ64tZCVvV9BvD_2ylV4mW71kLBZ47rgbnW58XHc-5jBt2sW26BWFT1cCD6xW7vlbvr7t7-F3N5_TslrJMNvZW71ydcY6NmCzRW4pzKQ52TkMLXW15LPKz1KqSqqW8B3YpV8wxdBQW1b_h1b69r2gHW6D8PdB3GLMMfW6s3jhD5HPY5XW1xR0fr79Sb6B31Mp1 ) to view this code snippet.]

As this functionality was designed to implement setting changes for the email template, an unauthenticated user could easily make changes to the email template that could aid in phishing attempts against users that receive emails from the targeted site. Worse yet, unauthenticated attackers could inject malicious JavaScript into the mail template that would execute anytime a site administrator accessed the HTML mail editor.

As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more. Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited. As such, we strongly recommend that you verify that your site is running the most up to date version of the plugin immediately.

Timeline

December 23, 2021 – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “WordPress Email Template Designer – WP HTML Mail” plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We attempt to initiate contact with the developer.

January 4, 2022 – We send an additional outreach attempt to the developer.

January 10, 2022 – The developer confirms the inbox for handling the discussion. We send over the full disclosure details.

January 11, 2022 – The developer acknowledges the report and indicates that they will work on a fix.

January 13, 2022 – A fully patched version of the plugin is released as version 3.1.

January 22, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we detailed a flaw in the “WordPress Email Template Designer – WP HTML Mail” plugin that made it possible for unauthenticated attackers to inject malicious web scripts that would execute whenever a site owner accessed the mail editor area plugin, which could lead to complete site compromise. This flaw has been fully patched in version 3.1.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.1 at the time of this publication.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close