CVE-2022-0218

Name of the Vulnerable Software and Affected Versions WP HTML Mail WordPress plugin versions up to and including 3.0.9

Description The issue allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the "/themesettings" REST-API endpoint found in the ~/includes/class-template-designer.php file. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.

Recommendations For versions up to and including 3.0.9, update to a version higher than 3.0.9 to resolve the issue. As a temporary workaround, consider restricting access to the "/themesettings" REST-API endpoint until a patch is available.