id: CVE-2022-0218

info:
  name: HTML Email Template Designer < 3.1 - Missing Authorization on Rest Route
  author: hexcat
  severity: medium
  description: |
    The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.
  impact: |
    An attacker can exploit this vulnerability to inject malicious scripts into the subject field of an email template, potentially leading to unauthorized access, data theft, or further compromise of the affected system.
  remediation: |
    Update to version 3.1 or later of the HTML Email Template Designer plugin to fix the vulnerability.
  reference:
    - https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
    - https://wordpress.org/plugins/wp-html-mail/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0218
    - https://plugins.trac.wordpress.org/changeset/2656984/wp-html-mail/trunk/includes/class-template-designer.php
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-0218
    cwe-id: CWE-79
    epss-score: 0.70511
    epss-percentile: 0.99306
    cpe: cpe:2.3:a:codemiq:wordpress_email_template_designer:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: codemiq
    product: wordpress_email_template_designer
    framework: wordpress
  tags: cve,cve2022,wordpress,wp-plugin,codemiq,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?rest_route=/whm/v3/themesettings"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"background":'
          - '"footer":'
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220115235eab78575d3240cb3c3618f3527b61d75e52cb3300c357d48a2014b3c05022100833872f14d537613afa3a147d0201892a528b5740b795369fe9ef4f8e74a788d:922c64590222798bb761d5b6d8e72950