A high severity cross-site request forgery (CSRF) bug, tracked as CVE-2020-8417, in Code Snippets plugin could be exploited by attackers to take over WordPress sites running vulnerable versions of the Code Snippets plugin.
The plugin allows users to execute code without adding custom snippets to their theme’s functions.php file.
Code Snippets also implements a graphical interface, similar to the Plugins menu, for managing snippets. Snippets can can be activated and deactivated, just like plugins.
This CSRF vulnerability could be exploited by attackers to forge a request on behalf of an administrator and inject code on a vulnerable site, p
“On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” reads the advisory published by Wordfence. “This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the
The Code Snippets plugin currently has more than 200,000 active installs, on January 25, the development team has released the version 2.14.0.
“This request would execute an action, send a request to the site, and the attacker’s malicious code could be injected and executed on the site. With remote code execution vulnerabilities, exploit possibilities are endless.” continues the advisory. “An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.”
At the time of writing, more than 50K users have downloaded and installed the latest version of the p
(SecurityAffairs – Code Snippets plugin, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.