Security News > 2022 > January > 20K WordPress Sites Exposed by Insecure Plugin REST-API

More than 20,000 WordPress sites are vulnerable to malicious code injection, phishing scams and more as the result of a high-severity cross-site scripting bug discovered in the WordPress Email Template Designer - WP HTML Mail, a plugin for designing custom emails.

"Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited," Chamberland said.

The plugin is installed across 20,000 sites and is compatible with other plugins run by WordPress sites with large followings like eCommerce platform WooCommerce, online form builder Ninja Forms and community builder plugin BuddyPress, Chamberland reported.

In the same week, three WordPress plugins were reported with the same bug - exposing 84,000 sites running eCommerce add-ons to full site takeovers.

WordPress site administrators are advised by Chamberland to ensure they're running the most up-to-date version, WordPress Email Template Designer - WP HTML Mail version 3.1.

"If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover," Chamberland cautioned.

News URL

https://threatpost.com/wordpress-insecure-plugin-rest-api/177866/