The WPCode – Insert Headers and Footers + Custom Code Snippets WordPress plugin, with over a million installations, was discovered to have a vulnerability that could allow the attacker to delete files on the server.
Plugin Description
The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner) is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area. This is useful for publishers who need to add a Google Search Console site validation code, CSS code, structured data, even AdSense code, virtually anything that belongs in either the header of the footer of a website.
Vulnerability Details
The WPCode – Insert headers and Footers plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.
A CSRF attack relies on tricking an end user who is registered on the WordPress site to click a link that performs an unwanted action. The attacker is piggybacking on the registered user’s credentials to perform actions on the site that the user is registered on.
In this particular case, the unwanted actions are limited to deleting log files. The National Vulnerability Database published details of the vulnerability:
“The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders.”
Second Vulnerability for 2023
This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin. Another vulnerability was discovered in February 2023, affecting versions 2.0.6 or less, which the Wordfence WordPress security company described as a “Missing Authorization to Sensitive Key Disclosure/Update.”
The NVD warned of the earlier vulnerability: “The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication (such as update and delete the auth key).”
Impact
More than a million active installations of the affected WordPress plugin are vulnerable to the CSRF attack. The WPCode plugin was removed from the WordPress plugin repository on April 22, 2023, and users are advised to uninstall the plugin immediately and consider using alternative plugins.
Conclusion
WordPress users should always be vigilant in checking for the latest security updates and patches for their installed plugins. Security experts recommend that users should only install plugins from trusted sources, and those that are regularly updated with the latest security patches.