The WordPress plugin WPCode – Insert Headers and Footers + Custom Code Snippets, with over a million installations, was discovered to have a vulnerability that could allow an attacker to delete files from the server.
The vulnerability warning was published in the US government’s National Vulnerability Database (NVD).
Insert the Headers and Footers plugin
The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner), is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area.
This is useful for publishers who need to add Google Search Console site validation code, CSS code, structured data, even AdSense code, pretty much anything that belongs in a site’s footer header web.
Cross-site request forgery (CSRF) vulnerability.
The WPCode – Insert Headers and Footers plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.
A CSRF attack is based on tricking an end user who is registered on the WordPress site into clicking on a link that performs an unwanted action.
The attacker is basically relying on the credentials of the registered user to perform actions on the site where the user is registered.
When a logged-in WordPress user clicks on a link that contains a malicious request, the site is forced to fulfill the request because it is using a browser with cookies that correctly identifies the user as logged in .
It is the malicious action that the registered user unknowingly is executing that the attacker is counting on.
The non-profit Open Worldwide Application Security Project (OWASP) describes a CSRF vulnerability:
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to perform unwanted actions on a web application in which they are currently authenticated.
With a little help from social engineering (such as sending a link via email or chat), an attacker can trick users of a web application into taking actions of the attacker’s choosing.
If the victim is a normal user, a successful CSRF attack can force the user to perform status change requests such as transferring funds, changing their email address, etc.
If the victim is an administrative account, CSRF can compromise the entire web application.”
The Common Weakness Enumeration (CWE), which is sponsored by the US Department of Homeland Security, provides a definition of this type of CSRF:
“The web application does not, or cannot, sufficiently verify that a well-formed, valid, and consistent request was intentionally provided by the user submitting the request.
… When a web server is designed to receive a request from a client without any mechanism to verify that it was sent intentionally, it is possible for an attacker to trick a client into making an unintended request to the web server that will be treated as an authentic request.
This can be done via a URL, image upload, XMLHttpRequest, etc. and may lead to data exposure or unintended code execution.”
In this particular case, the unwanted actions are limited to deleting log files.
The National Vulnerability Database published details of the vulnerability:
“The WPCode WordPress plugin before 2.0.9 has a bad CSRF when deleting the record and does not guarantee that the file to be deleted is in the expected folder.
This could allow attackers to cause users with the wpcode_activate_snippets capability to delete arbitrary log files on the server, including outside of blog folders.
The WPScan website (owned by Automattic) published a proof of concept for the vulnerability.
A proof of concept, in this context, is code that verifies and demonstrates that a vulnerability can work.
This is the proof of concept:
“Have a logged in user with the wpcode_activate_snippets capability open the URL below. This will delete the ~/wp-content/delete-me.log”
Second vulnerability for 2023
This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin.
Another vulnerability was discovered in February 2023, affecting versions 2.0.6 and below, which the Wordfence WordPress security company described as a “Missing Authorization for Disclosure/Update of Sensitive Keys”.
According to NVD’s vulnerability report, the vulnerability also affected versions up to 2.0.7.
The NVD warned of the above vulnerability:
“The WPCode WordPress plugin prior to 2.0.7 does not have proper privilege checks for various AJAX actions, only checking for noce.
This can allow any authenticated user who can edit posts to call authentication-related endpoints in the WPCode library (such as updating and deleting the authentication key).
WPCode issued a security patch
The changelog for the WPCode – Insert WordPress Headers and Footers plugin responsibly notes that they fixed a security issue.
A changelog notation for version 2.0.9 update states:
“Fix: Strengthening security for deleting records.”
Changelog notation is important because it alerts plugin users to the content of the update and allows them to make an informed decision about whether to continue with the update or wait until the next one.
WPCode acted responsibly by responding to the discovery of vulnerabilities in a timely manner and also noted the security fix in the changelog.
Recommended actions
Users of the WPCode – Insert Headers and Footers plugin are recommended to update their plugin to at least version 2.0.9.
The most updated version of the plugin is 2.0.10.
Read about the vulnerability on the NVD website:
[ad_2]
Source link
