CVE-2024-13900 in Head, Footer and Post Injections Plugininfo

Summary

by MITRE • 02/21/2025

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/25/2025

The vulnerability identified as CVE-2024-13900 affects the Head Footer and Post Injections plugin for WordPress, representing a critical security flaw that enables unauthorized code execution within affected environments. This vulnerability specifically targets versions up to and including 3.3.0, making it a persistent threat across multiple plugin releases. The flaw resides in the plugin's handling of user input within multisite WordPress configurations, where authenticated attackers with administrator-level privileges can exploit this weakness to inject malicious PHP code directly into the system.

The technical nature of this vulnerability falls under CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and specifically relates to PHP Code Injection attacks. The flaw occurs when the plugin fails to properly sanitize or validate user-supplied input that is subsequently executed as PHP code within the WordPress environment. In multisite configurations, this vulnerability becomes particularly dangerous because administrators can manipulate content injection points that affect multiple sites within the same network. The attack vector requires authentication with administrator-level privileges, which aligns with ATT&CK technique T1078.004 for valid accounts and T1548.001 for abuse of privileges.

The operational impact of this vulnerability extends beyond simple code injection, as it provides attackers with complete control over the affected WordPress multisite installations. Once exploited, attackers can execute arbitrary PHP code with the privileges of the web server, potentially leading to data exfiltration, site defacement, or further compromise of the underlying infrastructure. The vulnerability is particularly concerning in multisite environments where a single compromised administrator account could affect multiple websites within the network, creating a cascading security failure. This type of attack can also be leveraged for persistent access through backdoor code injection, making the compromise difficult to detect and remediate.

Mitigation strategies for CVE-2024-13900 should prioritize immediate plugin updates to versions that address the code injection vulnerability, as this represents the most direct solution to prevent exploitation. Organizations should implement strict input validation and sanitization measures for all user-supplied content within WordPress environments, particularly in multisite configurations where the attack surface is expanded. Network monitoring should be enhanced to detect unusual PHP code execution patterns, and privilege escalation should be carefully controlled through role-based access controls that limit administrator access to only necessary personnel. Security hardening measures including disabling unnecessary PHP functions and implementing web application firewalls should also be considered as additional protective layers. Regular security audits and vulnerability assessments should be conducted to identify similar weaknesses in other WordPress plugins and themes that may present similar attack vectors.

Responsible

Wordfence

Reservation

02/20/2025

Disclosure

02/21/2025

Moderation

accepted

CPE

ready

EPSS

0.00383

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!