The Wordfence Threat Intelligence team has discovered a vulnerability in “WordPress Email Template Designer – WP HTML Mail”, a WordPress plugin that is installed on over 20,000 sites.

This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor. This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.

WP HTML Mail is a WordPress plugin developed to make designing custom emails simpler for WordPress site owners. It is compatible with various WordPress plugins like WooCommerce, Ninja Forms, BuddyPress, and more. The plugin registers two REST-API routes which are used to retrieve email template settings and update email template settings. Unfortunately, these were insecurely implemented making it possible for unauthenticated users to access these endpoints.

More specifically, the plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.

public function rest_api_init() {
    register_rest_route( $this->api_base, '/themesettings', array(
        'methods' => 'GET',
        'callback' => [ $this, 'getThemeSettings' ],
        'permission_callback' => '__return_true'
    ));
     
    register_rest_route( $this->api_base, '/themesettings', array(
        'methods' => 'POST',
        'callback' => [ $this, 'saveThemeSettings' ],
        'permission_callback' => '__return_true'
    ));
}

As this functionality was designed to implement setting changes for the email template, an unauthenticated user could easily make changes to the email template that could aid in phishing attempts against users that receive emails from the targeted site. Worse yet, unauthenticated attackers could inject malicious JavaScript into the mail template that would execute anytime a site administrator accessed the HTML mail editor.

As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more. Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited. As such, we strongly recommend that you verify that your site is running the most up-to-date version of the plugin immediately.