# High-Risk Vulnerability in WordPress Plugin Threatens 20,000 Sites
Written on
Chapter 1: Overview of the Vulnerability
A significant flaw has been discovered in the WP HTML Mail plugin, which jeopardizes the security of more than 20,000 websites, leaving them vulnerable to phishing attacks.
This paragraph will result in an indented block of text, typically used for quoting other text.
Section 1.1: Details of the Plugin Issue
The WP HTML Mail plugin, widely used for crafting custom emails, contact form notifications, and other communications, has been identified as having a severe security issue. This plugin integrates seamlessly with other popular tools like WooCommerce, Ninja Forms, and BuddyPress. Although the number of sites utilizing it may not be vast, its widespread usage among sites with large audiences raises significant concerns.
Research conducted by Wordfence's Threat Intelligence team highlights that a vulnerability known as “CVE-2022–0218” could allow unauthorized users to modify email templates with harmful content. Moreover, malicious entities could exploit this flaw to dispatch phishing emails to unsuspecting users registered on compromised sites.
Subsection 1.1.1: API Security Flaw
The crux of the issue lies in the plugin's inadequate security measures for two REST-API endpoints responsible for fetching and updating email template data. These endpoints lack proper safeguards, allowing unverified users to access and execute functions that could lead to unauthorized alterations.
Section 1.2: Potential Consequences
Beyond phishing threats, an attacker could inject malicious JavaScript into the email templates. This script would execute whenever the site administrator accessed the HTML mail editor, potentially resulting in the creation of new admin accounts, redirection of users to phishing sites, insertion of backdoors into theme files, or even complete control of the website.
Chapter 2: Response and Recommendations
On December 23, 2021, the Wordfence team identified and reported the vulnerability to the plugin's developers. Unfortunately, no response was received until January 10, 2022. A security patch was finally released on January 13, 2022, with version 3.1 of the plugin addressing the vulnerability. Therefore, it is crucial for all WordPress site owners and administrators to ensure they are using the latest version of the WP HTML Mail plugin.
The first video titled "PSA WordPress Plugins Compromised Update Now!" provides critical insights into the implications of this security issue and the steps to take to protect your website.
Additionally, the second video, "WordPress Website Malware Removal Tips for Hacked Websites (Spam Links)," offers practical guidance on how to recover from a website compromise and safeguard against future threats.