A recently discovered bug in a popular WordPress plugin could have put thousands of sites at risk of running malicious web scripts against unsuspecting visitors.
The vulnerability, discovered by the Wordfence Threat Intelligence team, was found in the “WordPress Email Template Designer – WP HTML Mail”, a plugin that simplifies the design of personalized emails for websites running on the WordPress website builder.
Some 20,000 websites have the plugin up and running.
Researchers contacted the plugin developers and a fix was released on January 13. The Wordfence Threat Intelligence team urges all WordPress admins running the email template builder plugin to immediately update it to version 3.1.
Detailing the vulnerability in more detail, the researchers said the plugin registers two REST-API routes, used to retrieve and update email template settings. As these were “implemented insecurely”, unauthenticated users could access these terminals.
“The plugin saves the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint used the permission_callback function, however, it was set to __return_true, which meant that ‘no authentication was required to run the functions, therefore any user had access to run the REST-API endpoint to save theme settings from email or retrieve theme settings from email -mail,” the researchers explained.
“As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and more. again,” they concluded.
All of this means there’s a “high chance” that malicious attackers could gain admin user access to sites running the unpatched version of the plugin.