.. / CVE-2022-0218

Exploit for HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (CVE-2022-0218)

Description:

WordPress Email Template Designer WP HTML Mail allows stored cross-site scripting through an unprotected REST-API endpoint.

Nuclei Template

View the template here CVE-2022-0218.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2022/CVE-2022-0218.yaml
Copy

References:

https://github.com/ARPSyndicate/cvemon
https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
https://nvd.nist.gov/vuln/detail/CVE-2022-0218
https://wordpress.org/plugins/wp-html-mail/
https://plugins.trac.wordpress.org/changeset/2656984/wp-html-mail/trunk/includes/class-template-designer.php