Scroll Top

Vulnerability in Code Snippets plugin for WordPress discovered

February 11, 2020

A serious vulnerability has been discovered in older versions of the popular Code Snippets plugin for WordPress. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. The developers of the plugin have now rolled out an update with a patch. Users are advised to immediately update to Code Snippets version 2.14.0.

Code Snippets plugin

Code Snippets is a plugin that makes it possible to add extra features to your WordPress website by executing small pieces of PHP code, without the need for a separate plugin for each feature. Many of those “snippets” have already been written. Code Snippets is a handy tool for WordPress users who have little or no programming knowledge. The plugin currently has more than 200,000 active installations.

 

Vulnerability

According to the team at Wordfence, who have discovered the vulnerability on january 23rd, there was insufficient control in the Code Snippet import tool to guarantee the source and security of the snippets. This allowed users to unknowingly import malicious code, with all its consequences. WordPress sites that run the Code Snippets plugin run the risk of becoming the victim of a so-called cross-site request forgery (CSRF), an attack in which an admin user is tricked into clicking on a malicious link. This triggers unwanted actions. A hacker would then even be able to create a new admin account and completely take over the website in question.

“Code snippets were implicitly set as ‘disabled’ by default upon import. For imported code snippets to be enabled, additional action needed to be taken. This seemed like great news as it appeared no code snippets that were imported as a result of CSRF would actually be executed on the site unless a site administrator enabled that code – which would be unlikely during a CSRF attack. However, we discovered that this protection could easily be bypassed to allow a code snippet to be enabled upon import.

An attacker could simply inject an “active” flag with a value of “1” into the JSON body containing the code import details, and the code snippet would be enabled upon import. This escalated a minor problem into a very severe one, as an attacker could now inject malicious code and ensure it would be activated and executed whenever someone accessed the site.”

The video below shows a proof of concept:

Update

Are you using the Code Snippets plugin? Then login to the administrative backend of your WordPress website and go to Plugins > Update to update the plugin.

to install the latest version (2.14.0) of the plugin. You can also download and install the latest version from the WordPress.org plugin page.

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.

Related Posts

libgcrypt vulnerability patched

Researchers from universities in Adelaide, Eindhoven, Chicago, Maryland and Pennsylvania have published a paper describing how they used a local side-channel attack to break the Libgcrypt encryption library. The exploit could be used to recover a RSA-1024 key. Join Our Online Security and Hosting Newsletter Today and stay updated…

07 Jul 2017
vulnerability discovered in WooCommerce Checkout Manager

A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate…

07 May 2019
Exploit WordPress Arigato Autoresponder and Newsletter v2.5.1.8

The Arigato Autoresponder and Newsletter by Kiboko Labs plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. Join Our Online Security and Hosting Newsletter…

28 Dec 2018
New SGAxe and CrossTalk Side-Channel Attacks uncovered for Intel processors

Over the past two years, processors, in particular processors made by Intel, have been targeted by an unending series of attacks that have made it possible for skilled attackers to intercept passwords, encryption keys, and other secrets out of data stored in resident memory. Join Our Online Security and…

13 Jun 2020
cPanel TSR-2017-0002 Announcement

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv3 scores ranging from…

31 Mar 2017
cPanel Security Update

cPanel has released new builds for all public update tiers. These updates provide targeted changes to address security concerns with the cPanel & WHM product. These builds are currently available to all customers via the standard update system. cPanel has rated these updates as having CVSSv2 scores ranging from…

17 Jan 2016
WordPress 3.8.2 Security Release

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and…

11 Apr 2014
Joomla 3.7.3 update fixes 3 vulnerabilities

Joomla! has released version 3.7.3 of its Content Management System (CMS) software that addresses several security issues. A remote attacker could exploit some of these vulnerabilities to take control of an affected website. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates,…

05 Jul 2017
WordPress 4.7.2 security update

WordPress 4.7.2 was released last Thursday, January 26th. WordPress have just announced that In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. Join Our Online Security and Hosting Newsletter Today and stay…

06 Feb 2017
MariaDB – MyiSAM/Aria File Delete Vulnerability

Product Description: MariaDB Server is one of the most popular database servers in the world. It is developed by the original creators of the ubiquitous MySQL server and it is guaranteed by the developers to remain open source software. Notable users of MariaDB include Wikipedia, WordPress.com and Google. MariaDB…

09 Nov 2020
Intel’s AMT Vulnerability Appears Relatively Easy To Abuse

A vulnerability in Intel’s Active Management Technology (AMT) feature of Intel processors appears relatively easy to abusive. A remote control authentication screen can be bypassed using a blank string through a proxy server. AMT lets sysadmins perform powerful tasks over a remote connection. Join Our Online Security and Hosting…

09 May 2017
Vulnerability Patched in Ad Inserter Plugin for WordPress

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible. Join Our Online…

17 Jul 2019
Xen security updates issued

Numerous updates were just released to address various security vulnerabilities and it is recommended that you update as soon as possible. (XSA-145 to XSA-153) Official Link: http://xenbits.xen.org/xsa/ Source: Hostingseclist Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more….

29 Oct 2015
Authentication bypass bugs in 3 plugins make 400.000 websites vulnerable

Researchers have discovered authorization bypass bugs in three WordPress plugins, making a total of 400,000 WordPress websites vulnerable to cyber attacks. The affected plugins are InfiniteWP, WP Time Capsule and the WP Database Reset plugin. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest…

23 Jan 2020
Linux Sudo patches address vulnerability

Security updates have been issued for several Linux distributions to address a flaw in Sudo. Sudo allows users to run programs with the security privileges of another user, by default the superuser. Users must, by default, supply their own password for authentication, rather than the password of the target…

02 Jun 2017

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.
close-link
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy