Description
WordPress Plugin WordPress Email Template Designer-WP HTML Mail is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input. Attacker supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible. WordPress Plugin WordPress Email Template Designer-WP HTML Mail version 2.9.0.3 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.9.1.1 or latest
References
https://blog.nintechnet.com/multiple-wordpress-plugins-vulnerable-to-html-injection/
https://plugins.svn.wordpress.org/wp-html-mail/trunk/readme.txt
Related Vulnerabilities
MySQL CVE-2013-0385 Vulnerability (CVE-2013-0385)
WordPress Plugin Sagenda-Free booking system PHP Object Injection (1.3.2)
WordPress Plugin YITH WooCommerce Multi Vendor Cross-Site Scripting (3.8.0)
Drupal Core 8.x.x Cross-Site Scripting (8.0.0 - 8.8.12)
WordPress Plugin FoxyPress 'uploadify.php' Arbitrary File Upload (0.4.2.1)