A high severity cross-site request forgery (CSRF) bug, tracked as CVE-2020-8417, in Code Snippets plugin could be exploited by attackers to take over WordPress sites running vulnerable versions of the Code Snippets plugin.
The plugin allows users to execute code without adding custom snippets to their theme’s functions.php file.
Code Snippets also implements a graphical interface, similar to the Plugins menu, for managing snippets. Snippets can can be activated and deactivated, just like plugins.
This CSRF vulnerability could be exploited by attackers to forge a request on behalf of an administrator and inject code on a vulnerable site, p
“On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” reads the advisory published by Wordfence. “This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the
The Code Snippets plugin currently has more than 200,000 active installs, on January 25, the development team has released the version 2.14.0.
“This request would execute an action, send a request to the site, and the attacker’s malicious code could be injected and executed on the site. With remote code execution vulnerabilities, exploit possibilities are endless.” continues the advisory. “An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.”
At the time of writing, more than 50K users have downloaded and installed the latest version of the p
(SecurityAffairs – Code Snippets plugin, hacking)