CVE-2022-0218 Overview
CVE-2022-0218 is a Cross-Site Scripting (XSS) vulnerability in the WP HTML Mail WordPress plugin that allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint. This vulnerability affects the ~/includes/class-template-designer.php file in versions up to and including 3.0.9, enabling attackers with no privileges to execute the endpoint and inject malicious JavaScript into vulnerable WordPress sites.
Critical Impact
Unauthenticated attackers can inject malicious JavaScript code into WordPress sites through the unprotected REST-API endpoint, potentially leading to session hijacking, credential theft, and site defacement.
Affected Products
- Codemiq WordPress Email Template Designer (WP HTML Mail) versions up to and including 3.0.9
- WordPress sites utilizing the WP HTML Mail plugin for email customization
Discovery Timeline
- 2022-02-04 - CVE-2022-0218 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0218
Vulnerability Analysis
This vulnerability stems from a missing authorization check in the WP HTML Mail WordPress plugin's REST-API implementation. The /themesettings endpoint in the class-template-designer.php file lacks proper capability verification, allowing any unauthenticated user to access and modify the plugin's theme configuration settings. This broken access control issue directly enables stored XSS attacks by permitting attackers to inject malicious JavaScript code into the email template settings without authentication.
The vulnerability is particularly dangerous because it combines two security weaknesses: unauthorized access to a REST-API endpoint and the ability to persist malicious scripts that execute in the context of users viewing the affected content. The network-accessible nature of the attack vector, combined with no authentication requirements, significantly expands the potential attack surface.
Root Cause
The root cause of CVE-2022-0218 is a missing capability check (authorization bypass) in the REST-API endpoint handler within the class-template-designer.php file. The developers failed to implement proper WordPress capability verification before allowing modifications to theme settings. This oversight means the endpoint does not validate whether the requesting user has appropriate administrative privileges before processing the request, violating the principle of least privilege.
Attack Vector
The attack is executed remotely over the network by sending crafted HTTP requests to the unprotected /themesettings REST-API endpoint. An attacker requires no authentication or special privileges to exploit this vulnerability.
The exploitation flow involves:
- The attacker identifies a WordPress site running a vulnerable version of WP HTML Mail (versions ≤3.0.9)
- The attacker sends a malicious request to the /themesettings REST-API endpoint containing JavaScript payload
- The server accepts the request without verifying authorization and stores the malicious content
- When legitimate users or administrators view email templates or related settings, the stored JavaScript executes in their browser context
- The malicious script can then steal session cookies, redirect users to phishing pages, or perform actions on behalf of the authenticated user
For detailed technical analysis of this vulnerability, refer to the Wordfence security advisory.
Detection Methods for CVE-2022-0218
Indicators of Compromise
- Unexpected modifications to WP HTML Mail theme settings or email templates
- Unusual JavaScript code present in email template configurations
- Suspicious REST-API requests targeting /wp-json/*/themesettings endpoints in web server logs
- Reports of unexpected redirects or popups when administrators access the email template designer
Detection Strategies
- Monitor web server access logs for unauthenticated POST/PUT requests to REST-API endpoints containing themesettings
- Implement Web Application Firewall (WAF) rules to detect and block requests with JavaScript payloads targeting the vulnerable endpoint
- Conduct regular audits of email template settings for unexpected or malicious content
- Deploy file integrity monitoring to detect unauthorized changes to plugin files
Monitoring Recommendations
- Enable verbose logging for WordPress REST-API requests and review for anomalous patterns
- Configure security plugins to alert on configuration changes to the WP HTML Mail plugin
- Implement real-time monitoring for XSS attack signatures in HTTP request bodies
- Regularly review plugin activity logs for unauthorized settings modifications
How to Mitigate CVE-2022-0218
Immediate Actions Required
- Update WP HTML Mail (WordPress Email Template Designer) plugin to version 3.1 or later immediately
- Review email template settings for any unauthorized JavaScript or suspicious content
- Audit web server logs for past exploitation attempts targeting the /themesettings endpoint
- Consider temporarily disabling the plugin if immediate patching is not possible
Patch Information
Codemiq has released a security patch addressing this vulnerability. The fix implements proper capability checks on the /themesettings REST-API endpoint to ensure only authorized users can access and modify theme settings. The patch can be reviewed in the WordPress Plugin Change Log.
Update to version 3.1 or later of the WP HTML Mail plugin through the WordPress admin dashboard or by downloading directly from the WordPress plugin repository.
Workarounds
- Restrict access to the WordPress REST-API using server-level configuration or security plugins until patching is complete
- Implement WAF rules to block unauthenticated requests to the /themesettings endpoint
- Consider using WordPress security plugins that provide virtual patching capabilities for known vulnerabilities
- Temporarily disable the WP HTML Mail plugin if it is not critical to site operations
# Example: Block access to vulnerable endpoint via .htaccess (Apache)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*themesettings.*$ [NC]
RewriteCond %{REQUEST_METHOD} ^(POST|PUT)$ [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
