Multiple WordPress plugins vulnerable to HTML injection.

Multiple plugins offering to convert WordPress’ default plain text emails to HTML format were found to be vulnerable to HTML injection, which could lead to phishing or CSRF attacks targeting the administrator.

Reference

A CVE ID has been requested and we’ll update this post when it is assigned.

Vulnerable plugins

HTML Injection

Those plugins convert the default plain text emails sent by WordPress to HTML format. However, they take the content of the “text/plain” part and turn it into a new “text/html” part without sanitising it. That can lead to HTML injection and can be used for phishing and CSRF attacks targeting the administrators because it affects all messages sent by the blog, its plugins and themes (e.g., contact form, comment, notification etc).

Here’s an example of a malicious message posted using the WordPress default comment form:

Because WordPress sends plain text emails, it doesn’t need to sanitise the body, and thus the administrator will receive the following message:

Obviously, the attempt to trick the admin into clicking on the malicious link is so plain to see that the attacker doesn’t stand a chance.
But it’s a whole different story when the same message is sent, unsanitised, using one of the above plugins:

Timeline

The vulnerabilities were discovered and reported to the wordpress.org team on October 16, 2019.

Recommendations

Update any of the above plugins to the latest available version.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet