From d24e32dbcd56879a038f9a0f66407d2a376a462d Mon Sep 17 00:00:00 2001
From: Artem Guzhva <anonymous3048@gmail.com>
Date: Fri, 21 Jan 2022 17:21:33 +0000
Subject: [PATCH] Added wp-html-mail-xss template

---
 .../wordpress/wp-html-mail-xss.yaml           | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 vulnerabilities/wordpress/wp-html-mail-xss.yaml

diff --git a/vulnerabilities/wordpress/wp-html-mail-xss.yaml b/vulnerabilities/wordpress/wp-html-mail-xss.yaml
new file mode 100644
index 0000000000..8099e2b7ed
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-html-mail-xss.yaml
@@ -0,0 +1,29 @@
+id: wp-html-mail-xss
+
+info:
+  name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS)
+  author: hexcat
+  severity: high
+  description: >
+    WordPress Email Template Designer – WP HTML Mail allows stored XSS through
+    an unprotected REST-API endpoint (CVE-2022-0218).
+  reference: https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
+  tags: wordpress,wp-plugin,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?rest_route=/whm/v3/themesettings"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "application/json"
+        part: header
+      - type: word
+        words:
+          - "footer"
+        part: body