WPCode Plugin Vulnerability
News

WPCode Plugin Vulnerability Hits Over 1 Million, WordPress Users

Nilima Pawar

Security researchers discovered a second vulnerability in the WPCode – Insert Headers and Footers + Custom Code Snippets WordPress plugin in 2023, highlighting the importance of keeping plugins up to date.

The plugin, which has over a million installations, allows WordPress publishers to add code snippets to the header and footer area. However, vulnerabilities in the plugin could allow attackers to delete files on the server.

In February 2023, security company Wordfence discovered a “Missing Authorization to Sensitive Key Disclosure/Update” vulnerability affecting versions 2.0.6 or less, which the National Vulnerability Database (NVD) warned also affected versions up to 2.0.7. This vulnerability allowed any authenticated user who could edit posts to call endpoints related to WPCode Library authentication and update or delete the authentication key.

Now, the NVD has posted a warning of a Cross-Site Request Forgery (CSRF) vulnerability in the plugin before version 2.0.9. A CSRF attack tricks an end user into clicking a link which performs an unwanted action on the website, with the attacker piggybacking on the user’s credentials to perform actions on the site.

In this case, the CSRF vulnerability could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders.

The WPCode plugin developers acted responsibly by issuing a security patch for the flaw. Version 2.0.9 of the plugin includes “Security hardening for deleting logs” according to the changelog. It is recommended that users of the WPCode – Insert Headers and Footers plugin update their plugin to at least version 2.0.9, with the most up-to-date version being 2.0.10.

WordPress users are advised to keep all their plugins up to date and follow best security practices to minimize the risk of attacks.

Source:

  1. https://www.searchenginejournal.com/wordpress-vulnerability-hits-1-million-using-header-footer-plugin/485712/
  2. https://www.dailyhostnews.com/csrf-vulnerability-hits-wordpress-users

You May Also Like

Trends In Digital Marketing

Unlocking Success in Digital Marketing 2023: Embracing AI, Personalization, and Beyond

Nilima Pawar
googlebot_and_spider_header_1440

Google Search Console Performance Report Delayed 60+ Hours, Frustrating Webmasters

Nilima Pawar

Google I/O 2023: How Search Results Will Change

Nilima Pawar
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Powered By
Best Wordpress Adblock Detecting Plugin | CHP Adblock