A recent security flaw has been discovered in the popular WPCode – Insert Headers and Footers + Custom Code Snippets plugin. With over a million installations, addressing this vulnerability is crucial as soon as possible. In addition, the United States Government National Vulnerability Database (NVD) has warned about this flaw.
Plugin Overview: The WPCode plugin, formerly known as Insert Headers and Footers by WPBeginner, is widely used for adding code snippets to the header and footer areas of WordPress websites. This functionality is essential for publishers who must add Google Search Console site validation code, CSS code, structured data, AdSense code, and more.
CSRF Vulnerability: The WPCode – Insert Headers and Footers plugin, in versions before 2.0.9, has been identified as having a Cross-Site Request Forgery (CSRF) vulnerability. A CSRF attack tricks registered WordPress users into clicking a link that performs unwanted actions on the site, with the attacker leveraging the user's credentials.
OWASP and CWE Definitions: The Open Worldwide Application Security Project (OWASP) and the Common Weakness Enumeration (CWE) website, sponsored by the United States Department of Homeland Security, provide detailed explanations of CSRF vulnerabilities and the potential consequences of successful attacks.
Log File Deletion: In this specific case, the vulnerability allows attackers to exploit users with the ‘wpcode_activate_snippets' capability to delete arbitrary log files on the server, even those outside the blog folders.
Proof of Concept: WPScan, owned by Automattic, has published a proof of concept demonstrating the vulnerability's functionality. Proof of concept, in this context, is code that verifies and demonstrates that a vulnerability can work.
2023 Vulnerabilities: This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin. Another vulnerability, found in February 2023, affected versions 2.0.6 or lower and involved “Missing Authorization to Sensitive Key Disclosure/Update.”
Security Patch Issued: WPCode has responsibly released a security patch to address this vulnerability. The changelog for version 2.0.9 indicates “Fix: Security hardening for deleting logs.”
Recommended Actions: Users of the WPCode – Insert Headers and Footers plugin are strongly advised to update their plugin to at least version 2.0.9. The most current version available is 2.0.10. Stay secure by keeping your plugins up to date!
