WordPress plugin bug puts thousands of sites at risk of attack – TechRadar

TechRadar is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Here’s why you can trust us
By Sead Fadilpašić published
Some 20,000 websites have the vulnerable WordPress plugin up and running
A bug recently found in a popular WordPress plugin (opens in new tab) could have put thousands of sites at risk of running malicious web scripts against unsuspecting visitors.
The vulnerability, discovered by the Wordfence Threat Intelligence (opens in new tab) team, was found in the “WordPress Email Template Designer – WP HTML Mail”, a plugin that simplifies designing custom emails for websites running on the WordPress website builder (opens in new tab).
Some 20,000 websites have the plugin up and running. 
According to the researchers, the flaw allowed for an unauthenticated attacker to inject malicious JavaScript, that would run whenever a site admin accesses the template editor. What’s more, the vulnerability would let them modify the email template, adding arbitrary data which could be used in a phishing attack against the email’s recipients.
The researchers reached out to the plugin’s developers, and a patch was issued on January 13. The Wordfence Threat Intelligence Team urges all WordPress (opens in new tab) administrators running the email template designer plugin to update it to version 3.1 immediately.
Further detailing the vulnerability, the researchers said the plugin registers two REST-API routes, used to retrieve, and update, email template settings. As these were “insecurely implemented”, unauthenticated users could access these endpoints. 
“The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings,” the researchers explained.
The functionality allows for the implementation of setting changes to the email template, which means a malicious actor could “easily” transform it into a tool for phishing, the researchers further stated. They could even add malicious JavaScript into the template. 
“As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more,” they concluded. 
All of this means there’s a “high chance” malicious attackers can obtain admin user access on sites running the unpatched version of the plugin.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Thank you for signing up to TechRadar. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site (opens in new tab).
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.


Registered for Cape Town Website Design Agency