CVE-2019-25144: 
WordPress vulnerability analysis and mitigation

The WP HTML Mail plugin for WordPress was found to be vulnerable to HTML injection (CVE-2019-25144) in versions up to and including 2.2.10. The vulnerability was discovered on October 16, 2019, and publicly disclosed on October 25, 2019. This security issue affects the WordPress Email Template Designer plugin, which is used to convert plain text emails to HTML format (NVD, NinTechNet Blog).

The vulnerability stems from insufficient input sanitization when converting plain text emails to HTML format. The plugin takes the content of the 'text/plain' part and converts it to 'text/html' without proper sanitization. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary HTML in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This can be exploited for phishing attacks and CSRF (Cross-Site Request Forgery) attacks targeting administrators, as it affects all messages sent by the blog, its plugins, and themes (NinTechNet Blog).

Users are advised to update the WP HTML Mail plugin to version 2.9.1 or later, which contains the fix for this vulnerability. The issue affects installations with versions up to and including 2.2.10 (WPScan).