CVE-2022-0218 Scanner

The WP HTML Mail plugin for WordPress is a popular email customization plugin that allows website owners to send professional and customizable emails to their subscribers. This plugin is widely used because it makes email design and management a breeze. With WP HTML Mail, users can easily build their own email templates and customize the look and feel of their emails. They can also include dynamic content, such as post updates, in their emails without hassle.

However, security researchers have recently discovered a severe flaw in the plugin's codebase. The vulnerability identified as CVE-2022-0218, allows attackers to gain unauthorized access to sensitive information. Specifically, this vulnerability allows unauthenticated attackers to retrieve and modify theme settings using the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file. This flaw allows a malicious actor to execute the endpoint and inject malicious JavaScript into a vulnerable WordPress site.

If this vulnerability is exploited, it opens a pandora's box of potential risks and dangers. With the ability to modify theme settings, an attacker can easily modify the website's appearance, redirect traffic to malicious sites, and even steal user data. This vulnerability can also be used to exploit other plugins or extensions installed on the website.

At S4E, we offer advanced services to help you learn about and protect your digital assets. Our platform features pro-level security scanning that detects and alerts you about any vulnerabilities or threats on your website. With our services, you can rest assured that your website is always safe and secure. Protect your online presence today by signing up for S4E.

REFERENCES

• https://plugins.trac.wordpress.org/changeset/2656984/wp-html-mail/trunk/includes/class-template-designer.php
• https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/