CVSS: 8.3EPSS: 2%CPEs: 1EXPL: 1CVE-2022-0218 – WP HTML Mail <= 3.0.9 Missing Authorization on REST-API Route
https://notcve.org/view.php?id=CVE-2022-0218
19 Jan 2022 — The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site. El plugin WP HTML Mail de WordPress es vulnerable al... • https://plugins.trac.wordpress.org/changeset/2656984/wp-html-mail/trunk/includes/class-template-designer.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20779 – WordPress Email Template Designer < 3.0.8 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2021-20779
06 Jul 2021 — Cross-site request forgery (CSRF) vulnerability in WordPress Email Template Designer - WP HTML Mail versions prior to 3.0.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en WordPress Email Template Designer - WP HTML Mail versiones anteriores a 3.0.8, permite a atacantes remotos secuestrar la autenticación de los administradores por medio de vectores no especificados • https://codemiq.com/en • CWE-352: Cross-Site Request Forgery (CSRF) •