The WPCode – Insert Headers and Footers + Custom Code Snippets WordPress plugin, with over a million installations, was discovered to have a vulnerability that could allow the attacker to delete files on the server.
Warning of the vulnerability was posted on the United States Government National Vulnerability Database (NVD).
Insert Headers and Footers Plugin
The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner), is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area.
This is useful for publishers who need to add a Google Search Console site validation code, CSS code, structured data, even AdSense code, virtually anything that belongs in either the header of the footer of a website.
Cross-Site Request Forgery (CSRF) Vulnerability
The WPCode – Insert headers and Footers plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.
A CSRF attack relies on tricking an end user who is registered on the WordPress site to click a link which performs an unwanted action.
The attacker is basically piggy-backing on the registered user’s credentials to perform actions on the site that the user is registered on.
When a logged in WordPress user clicks a link containing a malicious request, the site is obligated to carry out the request because they are using a browser with cookies that correctly identifies the user as logged in.
It’s the malicious action that the registered user unknowing is executing that the attacker is counting on.