WordPress Plugin Bug Puts Thousands of Sites at Risk of Attack

A recently discovered bug in a popular WordPress plugin could have put thousands of sites at risk of running malicious web scripts against unsuspecting visitors.

The vulnerability, discovered by the Wordfence Threat Intelligence team, was found in the “WordPress Email Template Designer – WP HTML Mail”, a plugin that simplifies the design of personalized emails for websites running on the WordPress website builder.

Some 20,000 websites have the plugin up and running.

WordPress worries

According to the researchers, the flaw allowed an unauthenticated attacker to inject malicious JavaScript, which would run whenever a site administrator accessed the template editor. Additionally, the vulnerability would allow them to modify the email template, adding arbitrary data that could be used in a phishing attack against the recipients of the email.

Researchers contacted the plugin developers and a fix was released on January 13. The Wordfence Threat Intelligence team urges all WordPress admins running the email template builder plugin to immediately update it to version 3.1.

Detailing the vulnerability in more detail, the researchers said the plugin registers two REST-API routes, used to retrieve and update email template settings. As these were “implemented insecurely”, unauthenticated users could access these terminals.

Inject backdoors

“The plugin saves the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint used the permission_callback function, however, it was set to __return_true, which meant that ‘no authentication was required to run the functions, therefore any user had access to run the REST-API endpoint to save theme settings from email or retrieve theme settings from email -mail,” the researchers explained.

The feature enables the implementation of parameter changes in the email template, which means a malicious actor could “easily” turn it into a phishing tool, the researchers added. They might even add malicious JavaScript into the template.

“As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and more. again,” they concluded.

All of this means there’s a “high chance” that malicious attackers could gain admin user access to sites running the unpatched version of the plugin.

Esther L. Gunn