Security Experts:

Connect with us

Hi, what are you looking for?



Flaw in ‘Code Snippets’ Plugin Exposed Many WordPress Sites to Attacks

Popular WordPress plugin Code Snippets recently received a patch for a high-severity vulnerability that can be exploited to take control of affected websites.

Popular WordPress plugin Code Snippets recently received a patch for a high-severity vulnerability that can be exploited to take control of affected websites.

The Code Snippets plugin, which has over 200,000 installations, provides admins with a graphical interface to run PHP code on their WordPress-powered websites by removing the need to add custom snippets to the theme’s functions.php file.

The recently discovered security flaw, Wordfence’s security researchers reveal, essentially allowed for attackers “to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” This could result in attackers taking complete control of a website.

What the researchers discovered was that the plugin’s import function did not feature cross-site request forgery (CSRF) protection, which allowed attackers to trick admins into infecting their own site by crafting malicious requests.

Such a request would execute an action and send a request to the site, thus allowing for the attacker’s malicious code to be injected and executed.

“With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more,” Wordfence says.

While the plugin would set all code snippets as ‘disabled’ by default upon import, thus offering protection by requiring explicit admin action to enable them, the researchers discovered that it was easy to bypass the protection and allow code snippets to be enabled upon import.

For that, the attacker would only need to inject an “active” flag with a value of “1” into the JSON body that contains the code import details, which would result in the code snippet being automatically enabled upon import.

Thus, the attacker could inject malicious code and ensure it would be executed as soon as a user accessed the site.

Wordfence contacted the plugin’s developer on January 23 to inform them on the issue and a patch was released by January 25. Code Snippets version 2.14.0 corrects the vulnerability and site admins are encouraged to update to the patched iteration as soon as possible.

“The developer corrected this so that code snippets would always be disabled upon import explicitly, rather than using a more implicit technique to disable snippets upon import found in vulnerable versions of the plugin,” Wordfence explains.

The security researchers also published a video to demonstrate how the vulnerability can be abused.

Related: Critical Bug Patched in Popular Jetpack WordPress Plugin

Related: WordPress 5.2.4 Patches Six Vulnerabilities

Related: SEO Spam Dominated Website Infections in 2019: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet