Nearly 20,000 WordPress sites are vulnerable to malicious code injection, phishing scams as the result of a severe XSS bug discovered in the WordPress Email Template Designer WP HTML Mail.
The new vulnerability CVE-2022-0218, with CVSS score 8.3 was caused by a faulty configuration in the REST-API routes used to update the template and change settings, there was no authentication required to access the REST-API endpoint.
Threat actors could add new users with administrative credentials, inject backdoors, implement site redirects, and use legitimate site templates to send phishing emails, among many other things even site takeovers.
This vulnerability can be exploited by attackers with no privileges on a site running the vulnerable version of the plugin when successfully exploited.
The plugin is installed across 20,000 sites and i compatible with other plugins run by WordPress sites with large followings like eCommerce platform WooCommerce, online form builder Ninja Forms and community builder plugin BuddyPress, Chamberland reported.
Its highly recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.1 at the time of this publication.