Security News > 2022 > January > WordPress plugin flaw puts users of 20,000 sites at phishing risk
The WordPress WP HTML Mail plugin, installed in over 20,000 sites, is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails.
'WP HTML Mail' is a plugin used for designing custom emails, contact form notifications, and generally tailored messages that online platforms send to their audience.
While the number of sites using it isn't large, many have a large audience, allowing the flaw to affect a significant number of Internet users.
Threat actors can use the same vulnerability to send phishing emails to anyone registered on the compromised sites.
Apart from the possibility of phishing attacks, an adversary could also inject malicious JavaScript into the mail template, which would execute anytime the site administrator accessed the HTML mail editor.
All WordPress site owners and administrators are advised to verify that they're running the latest version of the 'WP HTML Mail' plugin.