This week, we have details of a vulnerability in the popular WordPress plugin, WP HTML Mail, which potentially exposed 20,000 WordPress sites, and a vulnerability in TeslaMate software exposing dozens of Teslas to remote access. On more positive news, we have an introduction to vAPI, an open-source laboratory for learning API security, and an article on how to reduce API attack surfaces.
Vulnerability: WordPress Sites Exposed by Insecure REST API
This week, we have another vulnerability in a WordPress plugin: this time, the popular WP HTML Mail plugin. The vulnerability is tracked as CVE-2022-0218 with a CVSS score of 8.3, and it was discovered by Wordfence researcher Chloe Chamberland. The vulnerability may have impacted up to 20,000 WordPress installations, rendering them vulnerable as a result of the cross-site scripting (XSS) bug courtesy of an unprotected REST API endpoint in the plugin.