Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2022-0218
HistoryFeb 04, 2022 - 11:15 p.m.

CVE-2022-0218

2022-02-0423:15:12
CWE-862
CWE-79
[email protected]
web.nvd.nist.gov
3
wp html mail
wordpress plugin
unauthorized access
missing capability check
rest-api endpoint
theme settings
malicious javascript

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.032

Percentile

91.4%

JSON

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.

Affected configurations

Nvd
Node
codemiqwordpress_email_template_designerRange3.0.9wordpress
VendorProductVersionCPE
codemiqwordpress_email_template_designer*cpe:2.3:a:codemiq:wordpress_email_template_designer:*:*:*:*:*:wordpress:*:*

Related

cnvd 1
nuclei 1
cvelist 1
packetstorm 1
checkpoint_advisories 2
prion 1
cve 1
wordfence 1
zdt 1
wpvulndb 1
patchstack 1
threatpost 1
thn 1
cnvd
cnvd
WordPress WP HTML Mail plugin cross-site scripting vulnerability
2022-01-23 00:00:00
nuclei
nuclei
HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting
2022-01-24 08:47:01
cvelist
cvelist
CVE-2022-0218 WP HTML Mail <= 3.0.9 Missing Authorization on REST-API Route
2022-02-04 22:29:24
packetstorm
packetstorm
WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting
2022-01-19 00:00:00
checkpoint_advisories
checkpoint_advisories
WordPress Email Template Designer Plugin Authentication Bypass (CVE-2022-0218)
2022-10-23 00:00:00
Wordpress Email Template Designer Plugin Authentication Bypass (CVE-2022-0218)
2022-10-30 00:00:00
prion
prion
Design/Logic Flaw
2022-02-04 23:15:00
cve
cve
CVE-2022-0218
2022-02-04 23:15:12
wordfence
wordfence
Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin
2022-01-19 14:55:52
zdt
zdt
WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting Vulnerability
2022-01-19 00:00:00
wpvulndb
wpvulndb
WP HTML Mail < 3.1 - Unprotected REST-API Endpoint
2022-01-19 00:00:00
patchstack
patchstack
WordPress WP HTML Mail plugin <= 3.0.9 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
2022-01-13 00:00:00
threatpost
threatpost
20K WordPress Sites Exposed by Insecure Plugin REST-API
2022-01-21 18:19:37
thn
thn
Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes
2022-01-22 07:13:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.032

Percentile

91.4%

JSON
Related for NVD:CVE-2022-0218
cnvd1nuclei1cvelist1packetstorm1checkpoint_advisories2prion1cve1wordfence1zdt1wpvulndb1patchstack1threatpost1thn1