It has been found that a high severity cross-site request forgery (CSRF) bug, tracked as CVE-2020-8417, in Code Snippets plugin could be exploited by attackers to take over WordPress sites running vulnerable versions of the Code Snippets plugin.
The plugin allows users to execute code without adding custom snippets to their theme’s functions.php file.
Earlier in the week Wordfence released the following statement:
“On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the plugin’s developer on January 24th, who was quick to respond and released a patch one day later.”
How to resolve the Code Snippets Vulnerability?
This is very simple. Navigate to your WordPress plugin section and update the plugin to the newest version – 2.14.0.
Insecurities similar to this are found often. As such we recommend all users to keep on top of updates manually or by activating automatic updates.