Yet another WordPress plugin puts hundreds of thousands of sites at risk

WordPress logo
(Image credit: WordPress)

Another day, another WordPress plugin (opens in new tab) vulnerability that affects hundreds of thousands of websites. 

This latest issue, a reflected cross-site scripting (XSS) vulnerability, was discovered by the Wordfence Threat Intelligence team in Header Footer Code Manager, a WordPress plugin allowing webmasters to add code snippets to the headers and footers of their websites.

The flaw itself revolves around the admin ability to view the list of code snippets added to the site, including links to edit, or delete, existing code snippets. By tricking an administrator into visiting a self-submitting form, the attacker can execute a JavaScript in the browser, and as a result, gain the same privileges as the administrator himself. The attacker can also create other, malicious administrator accounts, or even install backdoors.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window (opens in new tab) <<

More than 300,000 potential victims

The researchers add that this particular plugin is used to add code to a site, meaning a threat actor could even attack the site’s visitors, even on sites where file editing and user creation functionality is locked. 

Given that the attacker needs to know its victims very well, and distribute proper links and forms, it’s safe to assume that this vulnerability can only be used in particularly targeted attacks. 

The Header Footer Code Manager plugin has been installed more than 300,000 times so far, the researchers said, urging the users to update the plugin immediately. The plugin’s authors have been notified of the vulnerability on time, and have issued a patch within three days. The latest version of the plugin carries the number 1.1.17, and was made available on February 18, 2022.

WordPress is one of the world’s most popular website builders, as roughly 37% of all websites are hosted (opens in new tab) by the tool. That’s a total of 455 million websites. Furthermore, WordPress powers almost two-thirds (62%) of all CMS websites out there. 

That makes it a major target for threat actors, who oftentimes use the tens of thousands of available WordPress plugins as their entry point. That is why cybersecurity researchers always urge WordPress users to keep their websites (opens in new tab), and its plugins, fully updated, at all times. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.