WordPress vulnerability hits +1 million with header and footer plugin
The WordPress plugin WPCode – Insert Headers and Footers + Custom Code Snippets, with over a million installations, was discovered with a vulnerability that could allow the attacker to delete files on the server.
A warning about the vulnerability was published in the US government’s National Vulnerability Database (NVD).
Insert header and footer plugin
The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner) is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area.
This is useful for publishers who need to add Google Search Console website validation code, CSS code, structured data, even AdSense code, practically anything that belongs in a website’s header or footer.
Cross-Site Request Forgery (CSRF) vulnerability.
The WPCode – Insert Headers and Footers plugin prior to version 2.0.9 contains a vulnerability identified as a CSRF (Cross-Site Request Forgery) vulnerability.
A CSRF attack relies on tricking an end user registered on the WordPress site into clicking a link that performs an unwanted action.
Basically, the attacker uses the registered user’s credentials to perform actions on the website where the user is registered.
If a logged-in WordPress user clicks on a link containing a malicious request, the website is obligated to fulfill the request because it uses a browser with cookies that correctly identify the user as logged-in.
It is the malicious action performed by the registered user unknowingly that the attacker is counting on.
The non-profit Open Worldwide Application Security Project (OWASP) describes a CSRF vulnerability:
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to perform undesired actions in a web application in which they are currently authenticated.
With a little help from social engineering (for example, by sending a link via email or chat), an attacker can trick users of a web application into performing actions of the attacker’s choice.
If the victim is a regular user, a successful CSRF attack can force the user to perform status change requests such as money transfers, changing their email address, etc.
If the victim is an administrator account, CSRF can compromise the entire web application.”
The Common Weakness Enumeration (CWE) website, sponsored by the United States Department of Homeland Security, provides a definition of this type of CSRF:
“The web application may or may not adequately verify that a well-formed, valid, consistent request was intentionally made by the user making the request.
…If a web server is designed to receive a request from a client without a mechanism to verify that it was sent intentionally, an attacker could trick a client into making an unintended request to the web server that is treated as an authentic request.
This can be done via a URL, image loading, XMLHttpRequest, etc. and may lead to data disclosure or unintended code execution.”
In this particular case, the undesired actions are limited to deleting log files.
The National Vulnerability Database published details of the vulnerability:
“The WPCode WordPress plugin before 2.0.9 has a bad CSRF when deleting the log and does not ensure that the file to be deleted is in the expected folder.
This could allow attackers to trick users into deleting arbitrary log files on the server, even outside of the blog folders, using the wpcode_activate_snippets function.”
The WPScan website (owned by Automattic) has published a proof of concept of the vulnerability.
A proof of concept in this context is code that verifies and demonstrates that a vulnerability can work.
This is the proof of concept:
"Make a logged in user with the wpcode_activate_snippets capability open the URL below https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log This will make them delete the ~/wp-content/delete-me.log"
Second vulnerability for 2023
This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin.
Another vulnerability was discovered in February 2023 and affects versions 2.0.6 or lower, which the security company Wordfence WordPress identified as a “No authorization to disclose/update sensitive keys.”
According to NVD, the vulnerability report, the vulnerability also affected versions up to 2.0.7.
The NVD warned about the earlier vulnerability:
“The WPCode WordPress plugin prior to 2.0.7 does not have proper permission checks for multiple AJAX actions, it only checks the nonce.
This can result in any authenticated user who can edit posts being able to call the endpoints related to WPCode library authentication (e.g. updating and deleting the authentication key).
WPCode has released a security patch
The changelog for the WordPress plugin WPCode – Insert Headers and Footers responsibly notes that they have fixed a security issue.
A changelog notation for version update 2.0.9 says:
“Fix: Security hardening to delete logs.”
The changelog notation is important because it informs users of the plugin about the content of the update and allows them to make an informed decision on whether to proceed with the update or wait until the next one.
WPCode acted responsibly by responding to the discovery of the vulnerability in a timely manner and also noted the security fix in the change log.
recommended course of action
It is recommended that users of the WPCode – Insert Headers and Footers plugin update their plugin to at least version 2.0.9.
The latest version of the plugin is 2.0.10.
Read more about the vulnerability on the NVD website:
CVE-2023-1624 detail