A security flaw has been uncovered in the WPCode WordPress plugin, which boasts over a million installations. The vulnerability could potentially enable an attacker to erase files on the server. The United States Government National Vulnerability Database (NVD) issued an alert about this issue.
About the WPCode Plugin Formerly called Insert Headers and Footers by WPBeginner, the WPCode plugin is a prevalent solution that allows WordPress publishers to incorporate code snippets in their site’s header and footer sections. The plugin facilitates the addition of Google Search Console site validation code, CSS code, structured data, AdSense code, and more.
Detected Cross-Site Request Forgery (CSRF) Vulnerability WPCode plugin versions before 2.0.9 have been found to contain a CSRF vulnerability. A CSRF attack manipulates a registered user on the WordPress site into inadvertently clicking a link that initiates an unwanted action. Attackers exploit the user’s credentials to perform actions on the site.
In this specific instance, the undesired actions are confined to the deletion of log files. The NVD detailed the vulnerability, stating that the WPCode plugin prior to version 2.0.9 exhibited a flawed CSRF during log deletion and failed to confirm that the file slated for removal was located within the appropriate folder.
Automattic’s WPScan website published a proof of concept that showcased the vulnerability in action.
Two Vulnerabilities Identified in WPCode in 2023 This marks the second vulnerability identified in the WPCode plugin in 2023. In February 2023, another flaw was discovered, impacting versions 2.0.6 and below. WordPress security company Wordfence described the issue as “Missing Authorization to Sensitive Key Disclosure/Update.”
WPCode Releases Security Update In response to the vulnerability discovery, WPCode released a security update and advanced the plugin to version 2.0.9. The changelog highlights the enhanced security measures for log deletion, allowing users to make informed decisions about updating their plugin.
Suggested Steps for Users It is recommended that WPCode plugin users update to at least version 2.0.9 to safeguard their websites from this security vulnerability.