Description

WordPress Plugin WP Email Template is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input. Attacker supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible. WordPress Plugin WP Email Template version 2.2.10 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.3.0 or latest

References

https://blog.nintechnet.com/multiple-wordpress-plugins-vulnerable-to-html-injection/

https://plugins.svn.wordpress.org/wp-email-template/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin WP Advanced Comment Cross-Site Scripting (0.10)

WordPress Plugin Visual Email Designer for WooCommerce SQL Injection (1.7.1)

WordPress Plugin Malware Scanner Unspecified Vulnerability (4.7.3)

Nexus Repository Manager Improper Restriction of XML External Entity Reference Vulnerability (CVE-2020-29436)

Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2021-43559)

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update XSS