📄 Description (English)
The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or escaping. While the plugin restricts its own metabox and save handler to administrators via `current_user_can('manage_options')`, it does not use `register_meta()` with an `auth_callback` to protect these meta keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via the WordPress Custom Fields interface that execute when an administrator previews or views the post.
🤖 AI Executive Summary
The AddFunc Head & Footer Code WordPress plugin (versions ≤2.3) contains a Stored XSS vulnerability in head, body, and footer code meta fields. Authenticated users with Contributor-level access can inject malicious scripts through WordPress Custom Fields that execute when administrators view posts, potentially leading to admin account compromise and site-wide malware injection. No patch is currently available, requiring immediate mitigation strategies.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 15, 2026 21:46
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress for government portals, banking websites, healthcare information systems, and e-commerce platforms are at significant risk. Government agencies (under NCA oversight), ARAMCO subsidiaries, STC digital services, and financial institutions relying on WordPress plugins face potential compromise of administrative accounts, data exfiltration, and malware distribution. The vulnerability is particularly critical for organizations with multiple contributor-level users managing content, as any such user can compromise the entire WordPress installation when administrators interact with malicious posts.
🏢 Affected Saudi Sectors
Government & Public Administration
Banking & Financial Services
Healthcare & Medical Services
Energy & Utilities
Telecommunications
E-commerce & Retail
Education & Universities
Media & Publishing
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1199 - Trusted Relationship
T1566.002 - Phishing: Spearphishing Link
T1598 - Phishing for Information
T1204.001 - User Execution: Malicious Link
T1547.015 - Boot or Logon Initialization Scripts: Login Hook
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.007 - Command and Scripting Interpreter: JavaScript
T1133 - External Remote Services
T1078.001 - Valid Accounts: Default Accounts
T1078.003 - Valid Accounts: Local Accounts
T1087.001 - Account Discovery: Local Account
T1110.001 - Brute Force: Password Guessing
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all posts and pages for suspicious meta values in aFhfc_head_code, aFhfc_body_code, and aFhfc_footer_code fields using WordPress database queries
2. Disable the AddFunc Head & Footer Code plugin immediately via wp-admin or by renaming the plugin directory
3. Review WordPress user roles and remove unnecessary Contributor-level access; restrict to Editor and Administrator only
4. Audit WordPress user accounts and access logs for unauthorized activity
COMPENSATING CONTROLS:
5. Implement Web Application Firewall (WAF) rules to detect and block script injection patterns in POST requests to wp-admin/post.php
6. Enable WordPress security plugins (Wordfence, Sucuri) with real-time malware scanning
7. Restrict wp-admin access by IP whitelist to known office locations
8. Implement Content Security Policy (CSP) headers to prevent inline script execution
9. Use WordPress security hardening: disable file editing, restrict plugin uploads, enforce strong passwords
DETECTION:
10. Monitor database for suspicious meta key modifications: SELECT * FROM wp_postmeta WHERE meta_key IN ('aFhfc_head_code', 'aFhfc_body_code', 'aFhfc_footer_code') AND meta_value LIKE '%<script%'
11. Log and alert on any post preview/view actions by administrators following contributor edits
12. Monitor wp-admin access logs for Contributor-level users accessing post edit screens
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع المنشورات والصفحات للقيم الوصفية المريبة في حقول aFhfc_head_code و aFhfc_body_code و aFhfc_footer_code باستخدام استعلامات قاعدة بيانات WordPress
2. تعطيل مكون إضافة AddFunc Head & Footer Code فوراً عبر wp-admin أو بإعادة تسمية دليل المكون الإضافي
3. مراجعة أدوار مستخدمي WordPress وإزالة وصول المساهم غير الضروري؛ تقييد الوصول للمحررين والمسؤولين فقط
4. تدقيق حسابات مستخدمي WordPress وسجلات الوصول للنشاط غير المصرح به
الضوابط التعويضية:
5. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط حقن النصوص البرمجية وحجبها في طلبات POST إلى wp-admin/post.php
6. تفعيل مكونات إضافة أمان WordPress (Wordfence, Sucuri) مع المسح الضار في الوقت الفعلي
7. تقييد وصول wp-admin حسب IP للمواقع المعروفة
8. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ النصوص البرمجية المضمنة
9. تعزيز أمان WordPress: تعطيل تحرير الملفات، تقييد تحميل المكونات الإضافية، فرض كلمات مرور قوية
الكشف:
10. مراقبة قاعدة البيانات للتعديلات المريبة على المفاتيح الوصفية: SELECT * FROM wp_postmeta WHERE meta_key IN ('aFhfc_head_code', 'aFhfc_body_code', 'aFhfc_footer_code') AND meta_value LIKE '%<script%'
11. تسجيل والتنبيه على أي إجراءات معاينة/عرض منشورات من قبل المسؤولين بعد تعديلات المساهم
12. مراقبة سجلات وصول wp-admin لمستخدمي المساهم الذين يصلون إلى شاشات تحرير المنشورات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - User access management and authentication
A.6.2.1 - User access rights review
A.7.1.1 - Physical and environmental security
A.12.2.1 - Change management procedures
A.12.4.1 - Event logging and monitoring
A.14.2.1 - Secure development and change management
🔵 SAMA CSF
Governance & Risk Management - Security Policy & Standards
Information & Cyber Security - Access Control & Authentication
Information & Cyber Security - Data Protection & Privacy
Operational Resilience - Incident Management & Response
Technology & Infrastructure - Application Security
🟡 ISO 27001:2022
5.1 - Policies for information security
5.15 - Access control
6.1.1 - Information security roles and responsibilities
8.1 - Operational planning and control
8.2.1 - User endpoint devices
8.3.1 - Information and data security
8.3.2 - Information handling
8.3.4 - Removal of access rights
8.4.1 - Event logging
8.4.2 - Protection of log information
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 2.1 - Default security parameters
Requirement 6.2 - Security patches and updates
Requirement 6.5.1 - Injection flaws
Requirement 7.1 - Limit access to system components
Requirement 8.1 - User identification and authentication
Requirement 10.2 - Automated audit trails
🔗 References & Sources 8
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-he...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-he...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-he...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?old_path=%2Faddfunc-head-footer-code/tags/...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9b-4b73-988e-085ea...
security@wordfence.com