Unrated severityNVD Advisory· Published Feb 4, 2022· Updated Feb 10, 2025
WP HTML Mail <= 3.0.9 Missing Authorization on REST-API Route
CVE-2022-0218
Description
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=3.0.9+ 1 more
- (no CPE)range: <=3.0.9
- (no CPE)range: 3.0.9
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.