Executive Summary

The AddFunc Head & Footer Code plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.3. This vulnerability arises because the plugin outputs certain post meta values (`aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code`) without sanitization or escaping.

Although the plugin restricts its own metabox and save handler to administrators, it does not properly protect these meta keys using WordPress's `register_meta()` with an authorization callback. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts via the WordPress Custom Fields interface.

These injected scripts execute when an administrator previews or views the post, enabling the attacker to perform actions such as stealing cookies or performing unauthorized actions within the administrator's session.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers with Contributor-level access or above to inject malicious scripts that execute in the context of an administrator's browser.

• Execution of arbitrary JavaScript code when an administrator views or previews a post.
• Potential theft of administrator session cookies or credentials.
• Unauthorized actions performed with administrator privileges.
• Compromise of the website's integrity and security.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when an administrator views or previews a post. Such stored cross-site scripting (XSS) can lead to unauthorized access or manipulation of administrative sessions or data.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the presence of stored XSS vulnerabilities can potentially lead to unauthorized disclosure or alteration of personal or sensitive data, which may violate data protection requirements under these regulations.

Therefore, organizations using the affected plugin versions should consider this vulnerability as a risk to compliance with data protection standards that require safeguarding against unauthorized data access or modification.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update the AddFunc Head & Footer Code plugin to a version later than 2.3 where the issue is fixed.

Additionally, restrict Contributor-level users from adding or modifying the vulnerable meta keys (`aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code`) by implementing proper authorization checks such as using `register_meta()` with an `auth_callback`.

As a temporary measure, limit access to the WordPress Custom Fields interface to trusted users only, and monitor for suspicious script injections.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the WordPress plugin AddFunc Head & Footer Code, specifically through the post meta values `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code`. Detection involves checking these meta values for injected malicious scripts.

To detect this vulnerability on your system, you can inspect the WordPress database for suspicious or unexpected script tags in the post meta entries related to these keys.

• Use a SQL query to find suspicious content in the post meta table, for example:
• SELECT * FROM wp_postmeta WHERE meta_key IN ('aFhfc_head_code', 'aFhfc_body_code', 'aFhfc_footer_code') AND meta_value LIKE '%<script>%';

Additionally, monitoring HTTP traffic for unexpected script execution or using security plugins that scan for XSS payloads in post meta fields can help detect exploitation attempts.

Useful 0 Not Useful 0