Flaw in ‘Code Snippets’ Plugin Exposed Many WordPress Sites to Attacks
Popular WordPress plugin Code Snippets recently received a patch for a high-severity vulnerability that can be exploited to take control of affected websites.
The Code Snippets plugin, which has over 200,000 installations, provides admins with a graphical interface to run PHP code on their WordPress-powered websites by removing the need to add custom snippets to the theme’s functions.php file.
The recently discovered security flaw, Wordfence’s security researchers reveal, essentially allowed for attackers “to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” This could result in attackers taking complete control of a website.
What the researchers discovered was that the plugin’s import function did not feature cross-site request forgery (CSRF) protection, which allowed attackers to trick admins into infecting their own site by crafting malicious requests.
Such a request would execute an action and send a request to the site, thus allowing for the attacker’s malicious code to be injected and executed.
“With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more,” Wordfence says.
While the plugin would set all code snippets as ‘disabled’ by default upon import, thus offering protection by requiring explicit admin action to enable them, the researchers discovered that it was easy to bypass the protection and allow code snippets to be enabled upon import.
For that, the attacker would only need to inject an “active” flag with a value of “1” into the JSON body that contains the code import details, which would result in the code snippet being automatically enabled upon import.
Thus, the attacker could inject malicious code and ensure it would be executed as soon as a user accessed the site.
Wordfence contacted the plugin’s developer on January 23 to inform them on the issue and a patch was released by January 25. Code Snippets version 2.14.0 corrects the vulnerability and site admins are encouraged to update to the patched iteration as soon as possible.
“The developer corrected this so that code snippets would always be disabled upon import explicitly, rather than using a more implicit technique to disable snippets upon import found in vulnerable versions of the plugin,” Wordfence explains.
The security researchers also published a video to demonstrate how the vulnerability can be abused.