A major flaw in a WordPress email plugin put more than 20,000 websites at risk. The breach was in the WordPress Email Template Designer – WP HTML Mail extension, used for contact form systems, custom messages and notifications, but which also had openings that allowed everything from being used in phishing attacks or injecting malicious code to taking over. full list of vulnerable pages.
The alert is of high severity due to the plugin’s integration with sales systems such as WooCommerce, as well as other popular extensions on sites that use the content manager. According to Wordfence’s report on the opening, even though WordPress Email Template Designer – WP HTML Mail does not have such a large number of installations, it is present on sites with significant total visitors.
The problem, more specifically, lies in the way the software uses two APIs to get and update email themes. Such checks are neither authenticated nor protected, which allows attackers to execute code, either to download the look of messages for use in phishing attacks or to manipulate system resources and the server itself.
Want to stay on top of the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
According to experts, the vulnerability could allow the injection of malicious code into emails sent to customers and users, as well as the addition of new accounts with administrator privileges. From there, criminals could insert gateways for new attacks, redirect visitors from legitimate pages to malicious domains, and, in the end, even take complete control of vulnerable sites.
The flaw was discovered by Wordfence on December 23, but an update was not released until weeks later, on January 13. Version 3.1 of WordPress Email Template Designer – WP HTML Mail fixes the problem and should be applied by all site administrators who have the plugin installed, so that disclosure of the vulnerabilities does not lead to attacks against systems that are not running the edition. last.
While there are no records of malicious exploitation of the breach, an analysis of the sending codes of emails, as well as the users registered as administrators in WordPress, can also be an additional measure by the users of the plugin. Delete any suspicious records and also keep the content management system itself, as well as other extensions, always up to date.
