Wordfence Threat Intelligence team pinpoints a new threat for WordPress users. According to the announcement, they have discovered a reflected Cross-Site Scripting vulnerability in a popular WordPress plugin, Header Footer Code Manager, which has more than 300,000 installations. The team reached the published and provided the full disclosure details. A few days later a patch was released in the 1.1.17 version.
CVSS Score: 6.1
The vulnerability tracked as CVE-2022-0710, has a CVSS score of 6.1, which is considered as medium. Wordfence released a firewall rule before the publisher released the patch.
Header Footer Code Manager, enabling users to add code snippets to the header or footer of a website, allows administrators to view a list of code snippets added to the site. It also includes links to edit or delete these existing code snippets. Similar to other XSS vulnerabilities, it can be used to perform actions with administrator sessions, which allows attackers to create malicious administrators and backdoors.
Since the plugin allows adding codes, an attacker can also potentially leverage reflected XSS into stored XSS. Wordfence urged users to apply the patch as soon as possible to avoid possible attacks targeting their WordPress websites.