CyberNews Briefs

20K WordPress Sites Exposed by Insecure Plugin REST-API

More than 20,000 WordPress sites are vulnerable to malicious code injection, phishing scams, and other cyber threats due to a high-severity cross-site scripting (XSS) bug affecting the WordPress Email Template Designer. The template designer is WP HTML Mail, a plugin that allowed users to design custom emails. Wordfence researcher Chloe Chamberland was the first to discover the vulnerability, which is tracked as CVE-2022-0218 and has a severity score of 8.3. Chamberland explained that the vulnerability was caused by a faulty configuration in the plugin’s REST-API routes, which are used to update the template and change settings.

Any user had access to execute the REST-API endpoint to save settings or retrieve email settings. They could potentially inject malicious JavaScript into the mail template that would execute when a site administrator access the mail editing tool. This means that threat actors could add new users with administrative credentials, inject backdoors, and use legitimate site templates to send phishing emails. The vulnerability can be exploited by attackers with no privileges on a vulnerable site, meaning that there is a high chance unauthenticated attackers could gain admin user access. Wordfence recommends that affected WordPress users upgrade to the newest version of the platform and exercise caution.

Read More: 20K WordPress Sites Exposed by Insecure Plugin REST-API

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.