Vulnerability discovered in WPCode Insert Headers & Footers WordPress plugin for the second time in 2023
Vulnerability discovered in WordPress plugin is the second one found so far this year
Cross-Site Request Forgery (CSRF) Vulnerability could allow deletion of files
More than 1 Million active installations of the affected WordPress plugin
The WPCode Insert Headers and Footers + Custom Code Snippets WordPress plugin, with over a million installations, was discovered to have a vulnerability that could allow the attacker to delete files on the server.
Warning of the vulnerability was posted on the United States Government National Vulnerability Database (NVD).
The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner), is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area.
This is useful for publishers who need to add a Google Search Console site validation code, CSS code, structured data, even AdSense code, virtually anything that belongs in either the header of the footer of a website.
Cross-Site Request Forgery (CSRF) Vulnerability
The WPCode Insert headers and Footers plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.
A CSRF attack relies on tricking an end user who is registered on the WordPress site to click a link which performs an unwanted action.
The attacker is basically piggy-backing on the registered user’s credentials to perform actions on the site that the user is registered on.
When a logged in WordPress user clicks a link containing a malicious request, the site is obligated to carry out the request because they are using a browser with cookies that correctly identifies the user as logged in.
It’s the malicious action that the registered user unknowing is executing that the attacker is counting on.
This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin.
Another vulnerability was discovered in February 2023, affecting versions 2.0.6 or less, which the Wordfence WordPress security company described as a “Missing Authorization to Sensitive Key Disclosure/Update.”
According to the NVD, the vulnerability report, the vulnerability also affected versions up to 2.0.7.