fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

WordPress Plugin Flaw Puts Users of 20,000 Sites at Phishing Risk

WordPress Plugin Flaw Puts Users of 20,000 Sites at Phishing Risk

The WordPress WP HTML Mail plugin, installed in over 20,000 sites, is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails.

‘WP HTML Mail’ is a plugin used for designing custom emails, contact form notifications, and generally tailored messages that online platforms send to their audience.

The plugin is compatible with WooCommerce, Ninja Forms, BuddyPress, and others. While the number of sites using it isn’t large, many have a large audience, allowing the flaw to affect a significant number of Internet users.

Also Read: 4 Reasons to Outsource Penetration Testing Services

According to a report by Wordfence’s Threat Intelligence team, an unauthenticated actor could leverage the flaw tracked as “CVE-2022-0218” to modify the email template to contain arbitrary data of the attacker’s choosing.

Additionally, threat actors can use the same vulnerability to send phishing emails to anyone registered on the compromised sites.

Unprotected API endpoints

The problem lies in the plugin’s registration of two REST-API routes used to retrieve and update email template settings.

These API endpoints aren’t adequately protected from unauthorized access, so even unauthenticated users can call and execute the functions.

As Wordfence explains in detail in its report

The plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. 

The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. 

Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.

The two unprotected REST-API endpoints
The two unprotected REST-APIs
Source: Wordfence

Apart from the possibility of phishing attacks, an adversary could also inject malicious JavaScript into the mail template, which would execute anytime the site administrator accessed the HTML mail editor.

This could potentially open the way to adding new admin accounts, redirect the site’s visitors to phishing sites, inject backdoors into the theme files, and even complete site takeover.

Also Read: Vulnerability Assessment vs Penetration Testing: And Why You Need Both

Disclosure and fix

Wordfence discovered and disclosed the vulnerability to the plugin’s developer on December 23, 2021, but they only got a response on January 10, 2022.

The security update that addressed the vulnerability came on January 13, 2022, with the release of version 3.1.

As such, all WordPress site owners and administrators are advised to verify that they’re running the latest version of the ‘WP HTML Mail’ plugin.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us