Over 200K WordPress sites potentially exposed to hack due to Code Snippets flaw

Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.

A high severity cross-site request forgery (CSRF) bug, tracked as CVE-2020-8417, in Code Snippets plugin could be exploited by attackers to take over WordPress sites running vulnerable versions of the Code Snippets plugin.

The plugin allows users to execute code without adding custom snippets to their theme’s functions.php file.

Code Snippets also implements a graphical interface, similar to the Plugins menu, for managing snippets. Snippets can can be activated and deactivated, just like plugins. 

This CSRF vulnerability could be exploited by attackers to forge a request on behalf of an administrator and inject code on a vulnerable site, potentially allowing remotely execute arbitrary code on WordPress installs running vulnerable Code Snippets installation.

“On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” reads the advisory published by Wordfence. “This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the plugin’s developer on January 24th, who was quick to respond and released a patch one day later.”

The Code Snippets plugin currently has more than 200,000 active installs, on January 25, the development team has released the version 2.14.0.

Wordfence researchers explained that the developers have protected nearly all endpoints of this plugin with WordPress “nonces,” except the plugin’s import function that lacked that CSRF protection. An attacker could craft a malicious request to trick an administrator into compromising their own site, for example by creating a new administrative account on the site, exfiltrating sensitive information, and infect site users.

“This request would execute an action, send a request to the site, and the attacker’s malicious code could be injected and executed on the site. With remote code execution vulnerabilities, exploit possibilities are endless.” continues the advisory. “An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.”

Experts published a video proof of concept of the attack.

Experts will published a proof-of-concept (PoC) exploit on February 12, for this reason, it is essential to update the plugin asap.

At the time of writing, more than 50K users have downloaded and installed the latest version of the plugin, but other 150K are still exposed to attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Code Snippets plugin, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]