Header Footer Code Manager is a WordPress plugin designed to allow administrators to add code snippets to the header or footer of a website. One of the admin panel pages added by the plugin allows administrators to view a list of code snippets that had been added to the site, which included links to edit or delete these existing code snippets. The plugin’s column_name function used the
$_REQUEST[‘page’] parameter to construct this link.
WordPress uses the value of the
$_GET[‘page’] parameter in order to determine which page the user is currently visiting, and will block unauthorized users if they’re not allowed to access the current page set in
$_GET[‘page’]. This means that
$_REQUEST[‘page’] might be expected to just contain the admin page used to display the list of code snippets,
hfcm-list. However, due to a quirk of how PHP handles superglobal variables,
$_REQUEST parameters can be overloaded.
Full explanation: https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager