Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaw in ‘Code Snippets’ Plugin Exposed Many WordPress Sites to Attacks

Popular WordPress plugin Code Snippets recently received a patch for a high-severity vulnerability that can be exploited to take control of affected websites.

Popular WordPress plugin Code Snippets recently received a patch for a high-severity vulnerability that can be exploited to take control of affected websites.

The Code Snippets plugin, which has over 200,000 installations, provides admins with a graphical interface to run PHP code on their WordPress-powered websites by removing the need to add custom snippets to the theme’s functions.php file.

The recently discovered security flaw, Wordfence’s security researchers reveal, essentially allowed for attackers “to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” This could result in attackers taking complete control of a website.

What the researchers discovered was that the plugin’s import function did not feature cross-site request forgery (CSRF) protection, which allowed attackers to trick admins into infecting their own site by crafting malicious requests.

Such a request would execute an action and send a request to the site, thus allowing for the attacker’s malicious code to be injected and executed.

“With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more,” Wordfence says.

While the plugin would set all code snippets as ‘disabled’ by default upon import, thus offering protection by requiring explicit admin action to enable them, the researchers discovered that it was easy to bypass the protection and allow code snippets to be enabled upon import.

For that, the attacker would only need to inject an “active” flag with a value of “1” into the JSON body that contains the code import details, which would result in the code snippet being automatically enabled upon import.

Advertisement. Scroll to continue reading.

Thus, the attacker could inject malicious code and ensure it would be executed as soon as a user accessed the site.

Wordfence contacted the plugin’s developer on January 23 to inform them on the issue and a patch was released by January 25. Code Snippets version 2.14.0 corrects the vulnerability and site admins are encouraged to update to the patched iteration as soon as possible.

“The developer corrected this so that code snippets would always be disabled upon import explicitly, rather than using a more implicit technique to disable snippets upon import found in vulnerable versions of the plugin,” Wordfence explains.

The security researchers also published a video to demonstrate how the vulnerability can be abused.

Related: Critical Bug Patched in Popular Jetpack WordPress Plugin

Related: WordPress 5.2.4 Patches Six Vulnerabilities

Related: SEO Spam Dominated Website Infections in 2019: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.