On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations.
The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022.
Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule to protect against this vulnerability on February 15, 2022. Sites still running the free version of Wordfence are partially protected against this exploit by our built-in XSS rule, but will receive full protection 30 days later, on March 17, 2022.
Description: Reflected Cross-Site Scripting
Affected Plugin: Header Footer Code Manager
Plugin Slug: header-footer-code-manager
Plugin Developer: 99robots
Affected Versions: <= 1.1.16
CVE ID: CVE-2022-0710
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.1.17
Header Footer Code Manager is a WordPress plugin designed to allow administrators to add code snippets to the header or footer of a website. One of the admin panel pages added by the plugin allows administrators to view a list of code snippets