The WP HTML Mail plugin has been installed on more than 20,000 websites. If you've built a WordPress site for your business and you use that plugin, be aware that you are at risk. A high severity security flaw was recently discovered in the plugin that could allow an attacker to perform a code injection style attack that allows the attacker to send phishing emails to the site's registered users.
The plugin is popular because it is compatible with a wide range of other plugins including BuddyPress, Ninja Forms, WooCommerce, and others. The plugin isn't as wildly popular as many others and doesn't boast an overly impressive number of total installations. However, many of the sites that do use it have large audiences which means that this flaw puts more people at risk than first meets the eye.
The flaw is being tracked as CVE-2022-0218 and was discovered on December 23rd of last year (2021). As of now the plugin's developer has released a patch that addresses the issue.
If you use the plugin check your version number. If you're using anything earlier than 3.1 update to 3.1 or later right away to protect yourself, your reputation, and the customers who have registered on your site.
The last thing you want is for your company to get a black eye when your customers start complaining about a flood of scam emails that start hitting their inboxes right after they create an account on your site.
Although the plugin developer took nearly a month to address the issue they did address it and we give them kudos for that. Here's hoping that if additional security flaws are found in their product they'll have an even faster response that will help keep their users and the customers of their users safe.