A recently discovered bug in a popular WordPress plugin could have put thousands of sites at risk of running malicious web scripts against unsuspecting visitors.
The vulnerability, discovered by the Wordfence Threat Intelligence team, was found in the "WordPress Email Template Designer - WP HTML Mail", a plugin that simplifies the design of custom emails for websites running on the WordPress website builder. WordPress.
Some 20.000 websites have the plugin up and running.
WordPress Concerns
According to the researchers, the flaw allowed an unauthenticated attacker to inject malicious JavaScript, which would be executed every time a site administrator accessed the template editor. Additionally, the vulnerability would allow them to modify the email template, adding arbitrary data that could be used in a phishing attack against email recipients.
Researchers contacted the plugin developers and a fix was released on January 13. The Wordfence Threat Intelligence team urges all WordPress admins running the Email Template Builder plugin to update to version 3.1 immediately.
Detailing the vulnerability in more detail, the researchers said that the plugin registers two REST-API routes, which are used to retrieve and update email template settings. As these were "implemented insecurely", unauthenticated users could access these endpoints.
Inject rear doors
"The plugin saves the /themesettings endpoint, which calls either the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint used the callback function, however it was set to __return_true, which meant that 'authentication was not required to execute the functions, therefore any user had access to execute the REST-API endpoint to save email subject configuration or retrieve email subject configuration', explained the researchers.
The feature allows for the implementation of parameter changes to the email template, meaning a malicious actor could "easily" turn it into a phishing tool, the researchers added. They could even add malicious JavaScript to the template.
"As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into plugin and theme files, and more," they concluded.
All of this means that there is a "high probability" that malicious attackers could gain admin user access to sites running the unpatched version of the plugin.