A Cross-Site Request Forgery (CSRF) vulnerability has been detected in WPCode – Insert Headers and Footers plugin version 2.0.9 and earlier. The security flaw was found in the WPCode WordPress plugin, which has over a million installations. The vulnerability could enable attackers to delete server files.
The WPCode plugin, previously known as Insert Headers and Footers by WPBeginner, is a well-known plugin that permits WordPress publishers to incorporate code snippets into the header and footer sections of their website. This feature is beneficial for publishers who require adding various codes such as Google Search Console site validation, structured data, CSS code, AdSense code, or anything else that belongs in either the header or footer of a website.
What is Cross-Site Request Forgery (CSRF) vulnerability?
Cross-Site Request Forgery (CSRF) is a type of attack that exploits an end user’s authenticated state on a web application to perform unwanted actions. Social engineering tactics, such as sending a link via email or chat, may be used by attackers to trick users of a web application into executing actions chosen by the attacker.
The attacker exploits the registered user’s credentials to execute actions on the site. When a logged-in user clicks on a harmful request link, the site is compelled to execute the request since they are utilizing a browser with cookies that confirms the user’s login status. The attacker’s intention is for the registered user to unwittingly execute the malicious action.
In the case of a normal user, a successful CSRF attack can compel the user to perform requests that alter the state of the application, such as transferring funds or changing their email address. However, if the victim is an administrative account, CSRF can jeopardize the entire web application.
The National Vulnerability Database (NVD) describes the vulnerability as “The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders.”
The WPCode Insert Headers and Footers plugin has been found to have a second vulnerability in 2023. An earlier vulnerability affecting versions 2.0.6 or below was discovered in February 2023. This vulnerability, which was identified as “Missing Authorization to Sensitive Key Disclosure/Update” by the Wordfence WordPress security company, allowed unauthorized access to sensitive information. According to the vulnerability report by the NVD, this vulnerability was also present in versions up to 2.0.7.
Security patch issued
A security patch was issued by WPCode for the Insert Headers and Footers WordPress plugin. The changelog for the plugin’s version 2.0.9 update includes a notation about the security hardening that was done to address the issue of deleting logs.
The changelog is an important way to inform plugin users about the contents of the update, allowing them to make an informed decision on whether to update or wait for the next one. WPCode’s response to the vulnerability discovery and their inclusion of the security fix in the changelog reflects responsible behavior.
Users of the WPCode – Insert Headers and Footers plugin are advised to update their plugin to version 2.0.9 or later.
The recent detection of a Cross-Site Request Forgery (CSRF) vulnerability in WPCode’s Insert Headers and Footers plugin serves as a reminder of the importance of regularly updating and maintaining plugins on WordPress sites. WPCode’s prompt response in issuing a security patch and including the fix in the changelog is commendable and reflects responsible behaviour. As a WordPress maintenance service provider, it is our responsibility to keep our clients’ websites secure and up-to-date by regularly monitoring and updating their plugins so keeping up-to-date with the latest news and vulnerabilities related to WordPress plugins such as this is a must.