WordPress Code Snippets Plugin Vulnerability: 1 Million Sites Compromised
WordPress WPCode Plugin Found Vulnerable – 1 Million Sites Affected
For the second consecutive time in 2023, a vulnerability has been found in the WordPress plugin WPCode – Incorporated Headers & Footers, Custom Code Snippets
The WPCode WordPress plugin, which has over a million installations, was determined to have a security issue. Attackers could potentially be allowed to harm or completely erase the server files because of the vulnerability. The US government’s National Vulnerability Database (NVD) published a warning about the concern.
About the WPCode Plugin
A well-known plugin entitled WPCode, formerly known as Insert Headers and Footers by WPBeginner enables WordPress authors to add code snippets to their websites’ header and footer portions. This function is useful for publishers that must include a variety of codes, such as AdSense, CSS, and nearly anything else that goes in a website’s header or footer.
Cross-Site Request Forgery (CSRF) vulnerability: what is it?
CSRF is a particular type of attack that uses a web application’s authenticated status of an end user to carry out unauthorized activities. Attackers may employ social engineering techniques to convince users of an online application to perform their intended activities, such as sending a malicious link through email or chat.
The attacker uses the registered user’s credentials to execute these dangerous activities on the website. Since the site uses a web browser with cookie files verifying the user’s login status, it is forced to execute the request whenever an authenticated user clicks on a malicious request link. The attacker wants the registered user to act and execute the wicked and hazardous activity unintentionally.
How was the WPCode Plugin Found Vulnerable?
A successful CSRF attack might force a regular user to make requests that change the application’s state, including transferring money or updating their mailing credentials. However, CSRF can endanger the entire web application if the target is an administrative account.
This is the second weakness for the WPCode Insert Headers and Footers plugin to be identified in 2023.
The Wordfence WordPress security company identified this flaw as a “Missing Authorization to Sensitive Key Update/Disclosure” and said it impacted and targeted version 2.0.6.
According to the National Vulnerability Database vulnerability report, Versions up to 2.0.7 have been affected.
The National Vulnerability Database anticipated the prior vulnerability:
Before it was updated to version 2.0.7, the WPCode WordPress plugin simply checked the nonce and was short of adequate and appropriate privilege verification for several types of AJAX operations.
This might result in any authorized user with the ability to modify articles being able to call the endpoints for WPCode Library authentication, such as altering and removing their authentication key.
Moreover, NVD again Addresses, “The WPCode WordPress plugin earlier version 2.0.9 has a defective CSRF when clearing logs and does not guarantee that the file to be removed is within the expected folder. As a result, attackers could be able to force users with the wpcode_activate_snippets capability to delete any log files on the server, including those that aren’t in the blog directories.”
Fix this Vulnerability with WPCode Security Updates
According to the changelog for the WPCode – Insert Headers and Footers WordPress plugin, a security vulnerability has been fixed.
For version update 2.0.9, the changelog notes:
“Security Fix: Strengthening/hardening security and privacy for deleting logs.”
The changelog statement plays an important role since it informs plugin users of the updates and enables them to decide for themselves whether to install the update right away or hold off until the next one.
WPCode acted sensibly by acknowledging the security remedy in the changelog and reacting to the vulnerability notification as soon as it was discovered.
It is recommended for users of the WPCode – Insert Headers and Footers plugin to update to version 2.0.9 or later. Users should also check their websites for any indication of compromise and, if required, take immediate action.
Elementor Pro Vulnerability 2023
Elementor Pro, a widely used WordPress page construction plugin, recently contained a crucial security flaw enabling malicious actors to compromise websites deploying the software. An SQL injection vulnerability within Elementor Pro’s upgrader component granted hackers unrestricted access to the management interfaces of susceptible installations. Adversaries could leverage this defect to attain administrator privileges, introduce malware, and modification of information assets. According to vulnerability analysts, over 200,000 WordPress installations utilized Elementor Pro and faced the threat of exploitation before the developer’s released remediation.