VYPR
Unrated severityNVD Advisory· Published Feb 4, 2022· Updated Feb 10, 2025

WP HTML Mail <= 3.0.9 Missing Authorization on REST-API Route

CVE-2022-0218

Description

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Codemiq/Wp HTML Mailllm-fuzzy2 versions
    <=3.0.9+ 1 more
    • (no CPE)range: <=3.0.9
    • (no CPE)range: 3.0.9

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.