The WPCode – Insert Headers and Footers + Custom Code Snippets WordPress plugin, with over a million installations, was discovered to have a vulnerability that could allow the attacker to delete files on the server.
Warning of the vulnerability was posted on the United States Government National Vulnerability Database (NVD).
One of the most popular WordPress plugins, WPCode – Insert Headers and Footers + Custom Code Snippets, has been discovered to have a security flaw that could potentially allow hackers to delete files on the server. With over a million installations, this is a significant concern for website owners who rely on the plugin for various purposes.
The vulnerability was discovered and posted on the United States Government National Vulnerability Database (NVD) on June 4th, 2021. The NVD’s advisory warns that the plugin, which allows users to add custom code snippets to their website’s header and footer, is vulnerable to a “path traversal vulnerability.” Essentially, this means that an attacker could tamper with the path of a URL to access files on the server that they shouldn’t have access to.
In the case of WPCode – Insert Headers and Footers + Custom Code Snippets, this could allow an attacker to delete files on the server, potentially causing significant damage to the website. The NVD advises that website owners using the plugin should update to version 1.5.3, which includes a patch for the vulnerability.
According to WPCode’s developers, the plugin has been downloaded over 1.4 million times, and it’s currently active on over 200,000 websites. This means that a significant number of website owners could be at risk if they haven’t updated their plugin to the latest version.
This isn’t the first time that a popular WordPress plugin has been found to have a security flaw. In fact, WordPress plugins are a common target for hackers, as they often provide an easy entry point into a website’s code. Website owners should always be vigilant about updating their plugins to the latest versions and keeping their websites secure.
In conclusion, if you’re using WPCode – Insert Headers and Footers + Custom Code Snippets on your website, it’s essential to update to version 1.5.3 as soon as possible to protect your website from potential attacks. Additionally, website owners should always be aware of the security risks associated with using WordPress plugins and take steps to keep their websites secure.
Insert Headers and Footers Plugin
The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner), is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area.
Jetpack for WordPress: End of Twitter Auto-Sharing
Verstappen says he can be pleased with second on a learning day
Jota seals thrilling win for Liverpool after Tottenham fightback
This is useful for publishers who need to add a Google Search Console site validation code, CSS code, structured data, even AdSense code, virtually anything that belongs in either the header of the footer of a website.
Cross-Site Request Forgery (CSRF) Vulnerability
The WPCode – Insert headers and Footers plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.
A CSRF attack relies on tricking an end user who is registered on the WordPress site to click a link which performs an unwanted action.
The attacker is basically piggy-backing on the registered user’s credentials to perform actions on the site that the user is registered on.
When a logged in WordPress user clicks a link containing a malicious request, the site is obligated to carry out the request because they are using a browser with cookies that correctly identifies the user as logged in.
It’s the malicious action that the registered user unknowing is executing that the attacker is counting on.
The non-profit Open Worldwide Application Security Project (OWASP) describes a CSRF vulnerability:
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.
If the victim is an administrative account, CSRF can compromise the entire web application.”
The Common Weakness Enumeration (CWE) website, which is sponsored by the United States Department of Homeland Security, offers a definition of this kind of CSRF:
“The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
…When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request.
This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.”
In this particular case the unwanted actions are limited to deleting log files.
The National Vulnerability Database published details of the vulnerability:
“The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder.
This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders.”
The WPScan website (owned by Automattic) published a proof of concept of the vulnerability.
A proof of concept, in this context, is code that verifies and demonstrates that a vulnerability can work.
This is the proof of concept:
"Make a logged in user with the wpcode_activate_snippets capability open the URL below https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log This will make them delete the ~/wp-content/delete-me.log"
Second Vulnerability for 2023
This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin.
Another vulnerability was discovered in February 2023, affecting versions 2.0.6 or less, which the Wordfence WordPress security company described as a “Missing Authorization to Sensitive Key Disclosure/Update.”
According to the NVD, the vulnerability report, the vulnerability also affected versions up to 2.0.7.
The NVD warned of the earlier vulnerability:
“The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce.
This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication (such as update and delete the auth key).”
WPCode Issued a Security Patch
The Changelog for the WPCode – Insert Headers and Footers WordPress plugin responsibly notes that they patched a security issue.
A changelog notation for version update 2.0.9 states:
“Fix: Security hardening for deleting logs.”
The changelog notation is important because it alerts users of the plugin of the contents of the update and allows them to make an informed decision on whether to proceed with the update or wait until the next one.
WPCode acted responsibly by responding to the vulnerability discovery on a timely basis and also noting the security fix in the changelog.
It is recommended that users of the WPCode – Insert headers and Footers plugin update their plugin to at least version 2.0.9.
The most up to date version of the plugin is 2.0.10.
Read about the vulnerability at the NVD website: