Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations on February 15, 2022.

Header Footer Code Manager plugin publisher quickly acknowledged wordfence initial contact and wordfence did sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022.

Description: Reflected Cross-Site Scripting

Affected Plugin: Header Footer Code Manager

Plugin Slug: header-footer-code-manager

Plugin Developer: 99robots

Researcher/s: Ramuel Gall

CVE ID: CVE-2022-0710

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Versions: <= 1.1.16

Fully Patched Version: 1.1.17

Header Footer Code Manager is a WordPress plugin with a feature that allows to add code snippets to the header or footer of a website.

One of the admin panel pages added by the plugin allows administrators to view a list of code snippets that had been added to the site, which included links to edit or delete these existing code snippets. The plugin’s column_name function used the $_REQUEST[‘page’] parameter to construct this link.

WordPress uses the value of the $_GET[‘page’] parameter in order to determine which page the user is currently visiting, and will block unauthorized users if they’re not allowed to access the current page set in $_GET[‘page’]. This means that $_REQUEST[‘page’] might be expected to just contain the admin page used to show the list of code snippets, hfcm-list. However, $_REQUEST parameters can be overloaded due to a quirk of how PHP handles superglobal variables.

PHP populates the $_REQUEST superglobal variable from $_GET, $_POST, and $_COOKIE. That means in most PHP configurations, if a $_GET[‘page’] parameter is sent, $_REQUEST[‘page’] will be populated with the value of $_GET[‘page’]. However, the request_order (or variables_order if request_order is not set) means that if a request is sent with both a $_GET[‘page’] parameter and a $_POST[‘page’] parameter, the value of $_REQUEST[‘page’] is set to the value of $_POST[‘page’].

The reaction is that this can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to e.g. hxxps://victimsite.site/wp-admin/admin.php?page=hfcm-list, with the $_POST[‘page’] parameter set to malicious JavaScript.

The $_GET[‘page’] parameter means that WordPress will route the victim to the correct page, and then the value of $_REQUEST[‘page’] (which in nearly all configurations will be set to the value of $_POST[‘page’]) will get echoed out onto the page.

Most XSS can be used to perform actions using an administrator’s session, which includes the ability to create malicious administrators and in some cases add backdoors. Additionally, this particular plugin is used to add code to a site, so an attacker could also potentially leverage reflected XSS into stored XSS to attack site visitors, even on sites where file editing and user creation functionality was locked down.

Timeline

February 15, 2022 – The Wordfence Threat Intelligence team finishes the investigation and releases a firewall rule to Wordfence Premium, Care, and Response users to protect against any exploits targeting this vulnerability. Wordfence initiate the responsible disclosure process and receive a response from the plugin’s developers. They send over full disclosure.
February 17, 2022 – Plugin changelog says the issue is fixed.
February 18, 2022 – A patched version of the plugin version 1.1.17, is released on the WordPress repository.
March 17, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In this article, we came to know about a reflected XSS vulnerability in Header Footer Code Manager WordPress plugin. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we strongly recommend you to update to the latest version of this plugin, v1.1.17, ASAP.

Share this security information with your friends or colleague so they can avoid being attacked by any of these security issues that can lead an attacker to completely take over their site.