Code Snippets Vulnerability
Yesterday, 30th January it was announced that a Code Snippets Vulnerability had been discovered. Code Snippets is a plugin for WordPress that currently has over 200,000 installs and is one that has previously been mentioned on this blog (Five Essential Plugins for WooCommerce).
What is the Code Snippets Vulnerability?
It has been found that a high severity cross-site request forgery (CSRF) bug, tracked as CVE-2020-8417, in Code Snippets plugin could be exploited by attackers to take over WordPress sites running vulnerable versions of the Code Snippets plugin.
The plugin allows users to execute code without adding custom snippets to their theme’s functions.php file.
Earlier in the week Wordfence released the following statement:
“On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the plugin’s developer on January 24th, who was quick to respond and released a patch one day later.”
How to resolve the Code Snippets Vulnerability?
This is very simple. Navigate to your WordPress plugin section and update the plugin to the newest version – 2.14.0.
Insecurities similar to this are found often. As such we recommend all users to keep on top of updates manually or by activating automatic updates.