Connect with us

SEO

WordPress Vulnerability Hits +1 Million Using Header & Footer Plugin

Published

on

WordPress Vulnerability Hits +1 Million Using Header & Footer Plugin

The WPCode – Insert Headers and Footers + Custom Code Snippets WordPress plugin, with over a million installations, was discovered to have a vulnerability that could allow the attacker to delete files on the server.

Warning of the vulnerability was posted on the United States Government National Vulnerability Database (NVD).

Insert Headers and Footers Plugin

The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner), is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area.

This is useful for publishers who need to add a Google Search Console site validation code, CSS code, structured data, even AdSense code, virtually anything that belongs in either the header of the footer of a website.

Cross-Site Request Forgery (CSRF) Vulnerability

The WPCode – Insert headers and Footers plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.

A CSRF attack relies on tricking an end user who is registered on the WordPress site to click a link which performs an unwanted action.

The attacker is basically piggy-backing on the registered user’s credentials to perform actions on the site that the user is registered on.

When a logged in WordPress user clicks a link containing a malicious request, the site is obligated to carry out the request because they are using a browser with cookies that correctly identifies the user as logged in.

It’s the malicious action that the registered user unknowing is executing that the attacker is counting on.

The non-profit Open Worldwide Application Security Project (OWASP) describes a CSRF vulnerability:

“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.

If the victim is an administrative account, CSRF can compromise the entire web application.”

The Common Weakness Enumeration (CWE) website, which is sponsored by the United States Department of Homeland Security, offers a definition of this kind of CSRF:

“The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

…When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request.

This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.”

In this particular case the unwanted actions are limited to deleting log files.

The National Vulnerability Database published details of the vulnerability:

“The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder.

This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders.”

The WPScan website (owned by Automattic) published a proof of concept of the vulnerability.

A proof of concept, in this context, is code that verifies and demonstrates that a vulnerability can work.

This is the proof of concept:

"Make a logged in user with the wpcode_activate_snippets capability open the URL below

https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log

This will make them delete the ~/wp-content/delete-me.log"

Second Vulnerability for 2023

This is the second vulnerability discovered in 2023 for the WPCode Insert Headers and Footers plugin.

Another vulnerability was discovered in February 2023, affecting versions 2.0.6 or less, which the Wordfence WordPress security company described as a “Missing Authorization to Sensitive Key Disclosure/Update.”

According to the NVD, the vulnerability report, the vulnerability also affected versions up to 2.0.7.

The NVD warned of the earlier vulnerability:

“The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce.

This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication (such as update and delete the auth key).”

WPCode Issued a Security Patch

The Changelog for the WPCode – Insert Headers and Footers WordPress plugin responsibly notes that they patched a security issue.

A changelog notation for version update 2.0.9 states:

“Fix: Security hardening for deleting logs.”

The changelog notation is important because it alerts users of the plugin of the contents of the update and allows them to make an informed decision on whether to proceed with the update or wait until the next one.

WPCode acted responsibly by responding to the vulnerability discovery on a timely basis and also noting the security fix in the changelog.

Recommended Actions

It is recommended that users of the WPCode – Insert headers and Footers plugin update their plugin to at least version 2.0.9.

The most up to date version of the plugin is 2.0.10.

Read about the vulnerability at the NVD website:

CVE-2023-1624 Detail



Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address

SEO

Google’s AI Overviews Avoid Political Content, New Data Shows

Published

on

By

Google's AI Overviews Avoid Political Content, New Data Shows

Study reveals Google’s cautious approach to AI-generated content in sensitive search results, varying across health, finance, legal, and political topics.

  • Google shows AI Overviews for 50% of YMYL topics, with legal queries triggering them most often.
  • Health and finance AI Overviews frequently include disclaimers urging users to consult professionals.
  • Google avoids generating AI Overviews for sensitive topics like mental health, elections, and specific medications.

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

SEO

Executive Director Of WordPress Resigns

Published

on

By

WordPress Executive Director Josepha Haden Chomphosy resigns,

Josepha Haden Chomphosy, Executive Director of the WordPress Project, officially announced her resignation, ending a nine-year tenure. This comes just two weeks after Matt Mullenweg launched a controversial campaign against a managed WordPress host, which responded by filing a federal lawsuit against him and Automattic.

She posted an upbeat notice on her personal blog, reaffirming her belief in the open source community as  positive economic force as well as the importance of strong opinions that are “loosely  held.”

She wrote:

“This week marks my last as the Executive Director of the WordPress project. My time with WordPress has transformed me, both as a leader and an advocate. There’s still more to do in our shared quest to secure a self-sustaining future of the open source project that we all love, and my belief in our global community of contributors remains unchanged.

…I still believe that open source is an idea that can transform generations. I believe in the power of a good-hearted group of people. I believe in the importance of strong opinions, loosely held. And I believe the world will always need the more equitable opportunities that well-maintained open source can provide: access to knowledge and learning, easy-to-join peer and business networks, the amplification of unheard voices, and a chance to tap into economic opportunity for those who weren’t born into it.”

Turmoil At WordPress

The resignation comes amidst the backdrop of a conflict between WordPress co-founder Matt Mullenweg and the managed WordPress web host WP Engine, which has brought unprecedented turmoil within the WordPress community, including a federal lawsuit filed by WP Engine accusing Mullenweg of attempted extortion.

Resignation News Was Leaked

The news about the resignation was leaked on October 2nd by the founder of the WordPress news site WP Tavern (now owned by Matt Mullenweg), who tweeted that he had spoken with Josepha that evening, who announced her resignation.

He posted:

“I spoke with Josepha tonight. I can confirm that she’s no longer at Automattic.

She’s working on a statement for the community. She’s in good spirits despite the turmoil.”

Screenshot Of Deleted Tweet

Josepha tweeted the following response the next day:

“Ok, this is not how I expected that news to come to y’all. I apologize that this is the first many of you heard of it. Please don’t speculate about anything.”

Rocky Period For WordPress

While her resignation was somewhat of an open secret it’s still a significant event because of recent events at WordPress, including the resignations of 8.4% of Automattic employees as a result of an offer of a generous severance package to all employees who no longer wished to work  there.

Read the official announcement:

Thank you, WordPress

Featured Image by Shutterstock/Wirestock Creators

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

SEO

8% Of Automattic Employees Choose To Resign

Published

on

By

8% Of Automattic Employees Choose To Resign

WordPress co-founder and Automattic CEO announced today that he offered Automattic employees the chance to resign with a severance pay and a total of 8.4 percent. Mullenweg offered $30,000 or six months of salary, whichever one is higher, with a total of 159 people taking his offer.

Reactions Of Automattic Employees

Given the recent controversies created by Mullenweg, one might be tempted to view the walkout as a vote of no-confidence in Mullenweg. But that would be a mistake because some of the employees announcing their resignations either praised Mullenweg or simply announced their resignation while many others tweeted how happy they are to stay at Automattic.

One former employee tweeted that he was sad about recent developments but also praised Mullenweg and Automattic as an employer.

He shared:

“Today was my last day at Automattic. I spent the last 2 years building large scale ML and generative AI infra and products, and a lot of time on robotics at night and on weekends.

I’m going to spend the next month taking a break, getting married, and visiting family in Australia.

I have some really fun ideas of things to build that I’ve been storing up for a while. Now I get to build them. Get in touch if you’d like to build AI products together.”

Another former employee, Naoko Takano, is a 14 year employee, an organizer of WordCamp conferences in Asia, a full-time WordPress contributor and Open Source Project Manager at Automattic announced on X (formerly Twitter) that today was her last day at Automattic with no additional comment.

She tweeted:

“Today was my last day at Automattic.

I’m actively exploring new career opportunities. If you know of any positions that align with my skills and experience!”

Naoko’s role at at WordPress was working with the global WordPress community to improve contributor experiences through the Five for the Future and Mentorship programs. Five for the Future is an important WordPress program that encourages organizations to donate 5% of their resources back into WordPress. Five for the Future is one of the issues Mullenweg had against WP Engine, asserting that they didn’t donate enough back into the community.

Mullenweg himself was bittersweet to see those employees go, writing in a blog post:

“It was an emotional roller coaster of a week. The day you hire someone you aren’t expecting them to resign or be fired, you’re hoping for a long and mutually beneficial relationship. Every resignation stings a bit.

However now, I feel much lighter. I’m grateful and thankful for all the people who took the offer, and even more excited to work with those who turned down $126M to stay. As the kids say, LFG!”

Read the entire announcement on Mullenweg’s blog:

Automattic Alignment

Featured Image by Shutterstock/sdx15

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

Trending