A problem was found in a popular WordPress plugin called WPCode – Insert Headers & Footers, for the second time in 2023. This plugin is used by over 1 million people to add code to their websites. The problem could let a bad person change or delete important website files or information. The plugin makers are telling users to update to the latest version right away to stop this from happening.
Highlights
- A security problem was found in a WordPress plugin.
- This is the second issue discovered in a WordPress plugin this year.
- The problem is a type of vulnerability called Cross-Site Request Forgery (CSRF).
- The vulnerability could let someone delete files without permission.
- More than 1 million people are using the affected WordPress plugin.
A popular WordPress plugin called WPCode – Insert Headers and Footers + Custom Code Snippets, which is used by more than a million people, was found to have a weakness that could let a bad person delete files from the website server. The United States Government National Vulnerability Database (NVD) posted a warning about this problem. Users of this plugin are advised to take action and update to the latest version to prevent any potential damage.
WPCode Plugin for Inserting Headers and Footers
WPCode is a popular plugin that lets people who use WordPress add their own pieces of code to the top and bottom of their website. It used to be called Insert Headers and Footers by WPBeginner.
WPCode is a tool that’s really useful for people who use WordPress to publish content. It helps them add different types of code to the header and footer of their website. This can include things like Google Search Console site validation codes, CSS code, structured data, and AdSense code. Essentially, WPCode can add anything that belongs in those top or bottom parts of a website.
Cross-Site Request Forgery (CSRF) Vulnerabilities in Website Security
The WPCode plugin, specifically versions before 2.0.9, has a problem that can be used by hackers to perform Cross-Site Request Forgery (CSRF) attacks. This type of attack tricks users into clicking a link that causes unwanted actions on the site. The attacker can take advantage of the user’s account to perform actions on the site.
If a WordPress user is already logged in and they click a link with harmful intentions, then the website will perform the action because it thinks the user wants it to. The attacker takes advantage of the user’s login status to carry out malicious actions without their knowledge.
According to the Open Worldwide Application Security Project (OWASP), a non-profit organization, a CSRF vulnerability is a security weakness that involves an attack where a user is tricked into executing an unwanted action on a web application while they are logged in. Social engineering, such as sending a malicious link, can facilitate this attack. If an ordinary user falls victim to a CSRF attack, they may be forced to transfer money or change their email address. The entire web application can be compromised if an administrative account falls victim to a CSRF attack.
The Common Weakness Enumeration (CWE) website, supported by the United States Department of Homeland Security, explains that in CSRF attacks, a web application does not check whether a valid request was intentionally made by the user who submitted it. Consequently, an attacker can deceive a user into making a request to the web server that they did not intend to make, such as sending a URL, loading an image, or using XMLHttpRequest. This can lead to unintended actions, such as revealing sensitive information or running harmful code.
In this case, the vulnerability allows an attacker to delete log files using the WPCode plugin. The National Vulnerability Database published information about the vulnerability, stating that WPCode version 2.0.9 and earlier have a flawed CSRF function when deleting log files. Attackers can exploit this flaw to make users with the wpcode_activate_snippets capability delete log files outside of the expected folder. The WPScan website also released a proof of concept that demonstrated the vulnerability’s existence and exploitation.
“Make a logged in user with the wpcode_activate_snippets capability open the URL below
https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log
This will make them delete the ~/wp-content/delete-me.log”
The second security vulnerability in 2023
The WPCode Insert Headers and Footers plugin has been found to have a second vulnerability in 2023. A previous vulnerability affecting versions 2.0.6 or lower was discovered in February 2023.
This vulnerability was described by Wordfence as a “Missing Authorization to Sensitive Key Disclosure/Update”. The vulnerability report by the National Vulnerability Database (NVD) stated that versions up to 2.0.7 were affected.
The NVD warned that the plugin did not have sufficient privilege checks in place for several AJAX actions, which could allow authenticated users to call endpoints related to WPCode Library authentication, such as updating and deleting the auth key. The new vulnerability has not been described yet.
WPCode Released Security Patch a New Version
WPCode has released a security patch to fix a vulnerability in their Insert Headers and Footers WordPress plugin. The patch is noted in the changelog for version 2.0.9, which includes a security hardening for deleting logs. Users of the plugin are advised to update to at least version 2.0.9 to protect themselves from the vulnerability.
Recommendation
If you are a WordPress user and have been using the WPCode Insert Headers and Footers plugin, it is highly recommended that you update to the latest version (2.0.9) as soon as possible. This will help prevent any potential damage that could be caused by the vulnerability.
It is also a good practice to regularly update all your WordPress plugins to their latest versions to ensure that you are always protected against the latest security vulnerabilities. Additionally, you can also install a security plugin on your WordPress website to help detect and prevent potential attacks.
Conclusion
The WPCode Insert Headers and Footers plugin has been found to have a vulnerability that could potentially be exploited by hackers to perform Cross-Site Request Forgery (CSRF) attacks. The vulnerability has been patched in the latest version of the plugin, and users are advised to update to at least version 2.0.9 to protect themselves from potential attacks. It is also recommended that WordPress users regularly update all their plugins and install a security plugin to help prevent any potential security threats.
About Author
