The WPCode – Insert Headers and Footers + Custom Code Snippets WordPress plugin, with over a million installations, was discovered to have a vulnerability that could allow the attacker to delete files on the server.
Warning of the vulnerability was posted on the United States Government National Vulnerability Database (NVD).
Insert Headers and Footers Plugin
The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner), is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area.
This is useful for publishers who need to add a Google Search Console site validation code, CSS code, structured data, even AdSense code, virtually anything that belongs in either the header of the footer of a website.
Cross-Site Request Forgery (CSRF) Vulnerability
The WPCode – Insert headers and Footers plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.
A CSRF attack relies on tricking an end user who is registered on the WordPress site to click a link which performs an unwanted action.
The attacker is basically piggy-backing on the registered user’s credentials to perform actions on the site that the user is registered on.
When a logged in WordPress user clicks a link containing a malicious request, the site is obligated to carry out the request because they are using a browser with cookies that correctly identifies the user as logged in.
It’s the malicious action that the registered user unknowing is executing that the attacker is counting on.
The non-profit Open Worldwide Application Security Project (OWASP) describes a CSRF vulnerability:
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.
If the victim is an administrative account, CSRF can compromise the entire web application.”
The Common Weakness Enumeration (CWE) website, which is sponsored by the United States Department of Homeland Security, offers a definition of this kind of CSRF:
“The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
…When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request.
This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.”
In this particular case the unwanted actions are limited to deleting log files.
The National Vulnerability Database published details of the vulnerability:
“The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder.
This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders.”
The WPScan website (owned by Automattic) published a proof of concept of the vulnerability.
A proof of concept, in this context, is code that verifies and demonstrates that a vulnerability can work.
This is the proof of concept:
"Make a logged in user with the wpcode_activate_snippets capability open the URL below https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log This will make them delete the ~/wp-content/delete-me.log"
Second Vulnerability for 2023
This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin.
Another vulnerability was discovered in February 2023, affecting versions 2.0.6 or less, which the Wordfence WordPress security company described as a “Missing Authorization to Sensitive Key Disclosure/Update.”
According to the NVD, the vulnerability report, the vulnerability also affected versions up to 2.0.7.
The NVD warned of the earlier vulnerability:
“The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce.
This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication (such as update and delete the auth key).”
WPCode Issued a Security Patch
The Changelog for the WPCode – Insert Headers and Footers WordPress plugin responsibly notes that they patched a security issue.
“Fix: Security hardening for deleting logs.”
The changelog notation is important because it alerts users of the plugin of the contents of the update and allows them to make an informed decision on whether to proceed with the update or wait until the next one.
WPCode acted responsibly by responding to the vulnerability discovery on a timely basis and also noting the security fix in the changelog.
It is recommended that users of the WPCode – Insert headers and Footers plugin update their plugin to at least version 2.0.9.
The most up to date version of the plugin is 2.0.10.
Read about the vulnerability at the NVD website: