Another day, another WordPress plugin (opens in new tab) vulnerability that affects hundreds of thousands of websites.
This latest issue, a reflected cross-site scripting (XSS) vulnerability, was discovered by the Wordfence Threat Intelligence team in Header Footer Code Manager, a WordPress plugin allowing webmasters to add code snippets to the headers and footers of their websites.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
More than 300,000 potential victims
The researchers add that this particular plugin is used to add code to a site, meaning a threat actor could even attack the site’s visitors, even on sites where file editing and user creation functionality is locked.
Given that the attacker needs to know its victims very well, and distribute proper links and forms, it’s safe to assume that this vulnerability can only be used in particularly targeted attacks.
The Header Footer Code Manager plugin has been installed more than 300,000 times so far, the researchers said, urging the users to update the plugin immediately. The plugin’s authors have been notified of the vulnerability on time, and have issued a patch within three days. The latest version of the plugin carries the number 1.1.17, and was made available on February 18, 2022.
> WordPress plugin exposes half a million sites to attack (opens in new tab)
> WordPress plugin vulnerability exposed millions of websites to attack (opens in new tab)
> WordPress plugin bug puts thousands of sites at risk of attack (opens in new tab)
WordPress is one of the world’s most popular website builders, as roughly 37% of all websites are hosted (opens in new tab) by the tool. That’s a total of 455 million websites. Furthermore, WordPress powers almost two-thirds (62%) of all CMS websites out there.
That makes it a major target for threat actors, who oftentimes use the tens of thousands of available WordPress plugins as their entry point. That is why cybersecurity researchers always urge WordPress users to keep their websites (opens in new tab), and its plugins, fully updated, at all times.
- Here's our rundown of the best website hosting providers (opens in new tab) right now