WordPress plugin bug puts thousands of sites at risk of attack

News
By
published

Some 20,000 websites have the vulnerable WordPress plugin up and running

WordPress logo
(Image credit: WordPress)

A bug recently found in a popular WordPress plugin could have put thousands of sites at risk of running malicious web scripts against unsuspecting visitors.

The vulnerability, discovered by the Wordfence Threat Intelligence team, was found in the “WordPress Email Template Designer - WP HTML Mail”, a plugin that simplifies designing custom emails for websites running on the WordPress website builder.

Some 20,000 websites have the plugin up and running. 

WordPress worries

According to the researchers, the flaw allowed for an unauthenticated attacker to inject malicious JavaScript, that would run whenever a site admin accesses the template editor. What’s more, the vulnerability would let them modify the email template, adding arbitrary data which could be used in a phishing attack against the email’s recipients.

The researchers reached out to the plugin’s developers, and a patch was issued on January 13. The Wordfence Threat Intelligence Team urges all WordPress administrators running the email template designer plugin to update it to version 3.1 immediately.

Further detailing the vulnerability, the researchers said the plugin registers two REST-API routes, used to retrieve, and update, email template settings. As these were “insecurely implemented”, unauthenticated users could access these endpoints. 

Injecting backdoors

“The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings,” the researchers explained.

The functionality allows for the implementation of setting changes to the email template, which means a malicious actor could “easily” transform it into a tool for phishing, the researchers further stated. They could even add malicious JavaScript into the template. 

“As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more,” they concluded. 

All of this means there’s a “high chance” malicious attackers can obtain admin user access on sites running the unpatched version of the plugin.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
WordPress
Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites
Latest in Website Building
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Weebly vs Wix: Which offers a better free plan?
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Wix Business Launcher vs GoDaddy Airo: Which is better for small businesses?
Wix AI vs Squarespace Blueprint: Who has the better AI?
Wix AI vs Squarespace Blueprint: Which website builder has better AI?
Hostinger logo
Grab an impressive 15% off your Hostinger website builder plan for a limited time
Latest in News
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
More about website building
Hostinger Website Builder vs WordPress.com: Which is better?

Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders

Wix Business Launcher vs GoDaddy Airo: What's better for businesses?

Weebly vs Wix: Which offers a better free plan?
Vodafone logo outside a store in Sydney

Vodafone employees could lose bonuses if they’re not in office 8 days per month
See more latest
Most Popular
Vodafone logo outside a store in Sydney
Vodafone employees could lose bonuses if they’re not in office 8 days per month
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Ryzen AI Max+ 395
Race to launch most powerful AI mini PC ever heats up as GMKTec confirms Ryzen AI Max+ 395 product for May 2025
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Whirlwind I Computer
Happy birthday, Director! The first operating system in the world turns 70 today
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
Tesla Model 3
Tesla's EV sales are plummeting – as used Model Y and Model 3 prices crash to bargain levels
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound