WordPress Vulnerability Hits +1 Million Using Header & Footer Plugin


The WPCode – Insert Headers and Footers + Customized Code Snippets WordPress plugin, with over one million installations, was found to have a vulnerability that might permit the attacker to delete information on the server.

Warning of the vulnerability was posted on the US Authorities Nationwide Vulnerability Database (NVD).

Insert Headers and Footers Plugin

The WPCode plugin (previously often known as Insert Headers and Footers by WPBeginner), is a well-liked plugin that permits WordPress publishers so as to add code snippets to the header and footer space.

That is helpful for publishers who want so as to add a Google Search Console website validation code, CSS code, structured knowledge, even AdSense code, just about something that belongs in both the header of the footer of a web site.

Cross-Website Request Forgery (CSRF) Vulnerability

The WPCode – Insert headers and Footers plugin earlier than model 2.0.9 accommodates what has been recognized as a Cross-Website Request Forgery (CSRF) vulnerability.

A CSRF assault depends on tricking an finish consumer who’s registered on the WordPress website to click on a hyperlink which performs an undesirable motion.

The attacker is principally piggy-backing on the registered consumer’s credentials to carry out actions on the positioning that the consumer is registered on.

When a logged in WordPress consumer clicks a hyperlink containing a malicious request, the positioning is obligated to hold out the request as a result of they’re utilizing a browser with cookies that accurately identifies the consumer as logged in.

It’s the malicious motion that the registered consumer unknowing is executing that the attacker is relying on.

The non-profit Open Worldwide Utility Safety Venture (OWASP) describes a CSRF vulnerability:

“Cross-Website Request Forgery (CSRF) is an assault that forces an finish consumer to execute undesirable actions on an online utility during which they’re presently authenticated.

With slightly assist of social engineering (equivalent to sending a hyperlink through e-mail or chat), an attacker could trick the customers of an online utility into executing actions of the attacker’s selecting.

If the sufferer is a traditional consumer, a profitable CSRF assault can pressure the consumer to carry out state altering requests like transferring funds, altering their e-mail tackle, and so forth.

If the sufferer is an administrative account, CSRF can compromise all the internet utility.”

The Widespread Weak spot Enumeration (CWE) web site, which is sponsored by the US Division of Homeland Safety, affords a definition of this type of CSRF:

“The online utility doesn’t, or cannot, sufficiently confirm whether or not a well-formed, legitimate, constant request was deliberately supplied by the consumer who submitted the request.

…When an online server is designed to obtain a request from a consumer with none mechanism for verifying that it was deliberately despatched, then it is likely to be attainable for an attacker to trick a consumer into making an unintentional request to the online server which will likely be handled as an genuine request.

This may be completed through a URL, picture load, XMLHttpRequest, and many others. and may end up in publicity of information or unintended code execution.”

On this explicit case the undesirable actions are restricted to deleting log information.

The Nationwide Vulnerability Database printed particulars of the vulnerability:

“The WPCode WordPress plugin earlier than 2.0.9 has a flawed CSRF when deleting log, and doesn’t make sure that the file to be deleted is contained in the anticipated folder.

This might permit attackers to make customers with the wpcode_activate_snippets functionality delete arbitrary log information on the server, together with outdoors of the weblog folders.”

The WPScan web site (owned by Automattic) printed a proof of idea of the vulnerability.

A proof of idea, on this context, is code that verifies and demonstrates {that a} vulnerability can work.

That is the proof of idea:

"Make a logged in consumer with the wpcode_activate_snippets functionality open the URL beneath

https://instance.com/wp-admin/admin.php?web page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log

This may make them delete the ~/wp-content/delete-me.log"

Second Vulnerability for 2023

That is the second vulnerability found in 2023 for the WPCode Insert Headers and Footers plugin.

One other vulnerability was found in February 2023, affecting variations 2.0.6 or much less, which the Wordfence WordPress safety firm described as a “Lacking Authorization to Delicate Key Disclosure/Replace.”

In response to the NVD, the vulnerability report, the vulnerability additionally affected variations as much as 2.0.7.

The NVD warned of the sooner vulnerability:

“The WPCode WordPress plugin earlier than 2.0.7 doesn’t have satisfactory privilege checks in place for a number of AJAX actions, solely checking the nonce.

This will result in permitting any authenticated consumer who can edit posts to name the endpoints associated to WPCode Library authentication (equivalent to replace and delete the auth key).”

WPCode Issued a Safety Patch

The Changelog for the WPCode – Insert Headers and Footers WordPress plugin responsibly notes that they patched a safety concern.

A changelog notation for model replace 2.0.9 states:

“Repair: Safety hardening for deleting logs.”

The changelog notation is necessary as a result of it alerts customers of the plugin of the contents of the replace and permits them to make an knowledgeable choice on whether or not to proceed with the replace or wait till the following one.

WPCode acted responsibly by responding to the vulnerability discovery on a well timed foundation and likewise noting the safety repair within the changelog.

Advisable Actions

It is suggested that customers of the WPCode – Insert headers and Footers plugin replace their plugin to not less than model 2.0.9.

The freshest model of the plugin is 2.0.10.

Learn concerning the vulnerability on the NVD web site:

CVE-2023-1624 Element


Scroll to Top