Yet another WordPress plugin puts hundreds of thousands of sites at risk

Newly discovered WordPress plugin flaw allows for XSS attacks, researchers say

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Another day, another WordPresspluginvulnerability that affects hundreds of thousands of websites.

This latest issue, a reflected cross-site scripting (XSS) vulnerability, was discovered by the Wordfence Threat Intelligence team in Header Footer Code Manager, a WordPress plugin allowing webmasters to add code snippets to the headers and footers of their websites.

The flaw itself revolves around the admin ability to view the list of code snippets added to the site, including links to edit, or delete, existing code snippets. By tricking an administrator into visiting a self-submitting form, the attacker can execute a JavaScript in the browser, and as a result, gain the same privileges as the administrator himself. The attacker can also create other, malicious administrator accounts, or even install backdoors.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

More than 300,000 potential victims

The researchers add that this particular plugin is used to add code to a site, meaning a threat actor could even attack the site’s visitors, even on sites where file editing and user creation functionality is locked.

Given that the attacker needs to know its victims very well, and distribute proper links and forms, it’s safe to assume that this vulnerability can only be used in particularly targeted attacks.

The Header Footer Code Manager plugin has been installed more than 300,000 times so far, the researchers said, urging the users to update the plugin immediately. The plugin’s authors have been notified of the vulnerability on time, and have issued a patch within three days. The latest version of the plugin carries the number 1.1.17, and was made available on February 18, 2022.

WordPress plugin exposes half a million sites to attack>WordPress plugin vulnerability exposed millions of websites to attack>WordPress plugin bug puts thousands of sites at risk of attack

WordPress is one of the world’s most popular website builders, as roughly 37% of all websites arehostedby the tool. That’s a total of 455 million websites. Furthermore, WordPress powers almost two-thirds (62%) of all CMS websites out there.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

That makes it a major target for threat actors, who oftentimes use the tens of thousands of available WordPress plugins as their entry point. That is why cybersecurity researchers always urge WordPress users to keep theirwebsites, and its plugins, fully updated, at all times.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

Stormforce Pro Creator 0601 workstation review