Bill Toulas reports:
The WordPress WP HTML Mail plugin, installed in over 20,000 sites, is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails.
‘WP HTML Mail’ is a plugin used for designing custom emails, contact form notifications, and generally tailored messages that online platforms send to their audience.
The plugin is compatible with WooCommerce, Ninja Forms, BuddyPress, and others. While the number of sites using it isn’t large, many have a large audience, allowing the flaw to affect a significant number of Internet users.
Read more at BleepingComputer.