Description

WordPress Plugin Email Templates is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input. Attacker supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible. WordPress Plugin Email Templates version 1.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.3.1 or latest

References

https://blog.nintechnet.com/multiple-wordpress-plugins-vulnerable-to-html-injection/

https://plugins.svn.wordpress.org/email-templates/trunk/README.txt

Related Vulnerabilities

WordPress Plugin WP Shop Multiple SQL Injection Vulnerabilities (3.4.3.15)

WordPress Plugin Contact Form DB Cross-Site Scripting (2.8.19)

Drupal Core 4.7.x Cross-Site Request Forgery (4.7.0 - 4.7.10)

WordPress Plugin Backup, Restore and Migrate WordPress Sites With the XCloner Cross-Site Request Forgery (4.2.152)

Drupal Core 7.x Multiple Vulnerabilities (7.0 - 7.38)

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update XSS