A high-severity vulnerability exists in a popular WordPress plugin, potentially opening up 200,000 websites to takeover.
The WordPress plugin in question in Code Snippets, which allows users to run small chunks of PHP code on their websites. This can be used to extend the functionality of the website (essentially used as a mini-plugin). The flaw (CVE-2020-8417) has been patched by the plugin’s developer, Code Snippets Pro.
“This is a high severity security issue that could cause complete site takeover, information disclosure, and more,” said Chloe Chamberland with Wordfence, who discovered the flaw, in an analysis this week. “We highly recommend updating to the latest version (2.14.0) immediately.”
Code Snippets offers an import menu for importing code onto the website. However, researchers found that the import menu had a missing referrer check, which allows a webpage to see where requests originated. That means malicious code could be enabled upon import.
That opens affected websites up to cross-site request forgery (CSRF), an attack that forces a victim (once they click on a malicious link) to execute unwanted actions on web applications in which they’re currently authenticated.
In a video (below), researchers showed how an attacker could craft a malicious request and trick an administrator into clicking on a link triggering the request. This request would execute an action, send a request to the site, and the attacker’s malicious code could be injected and executed on the site.
“With remote code execution vulnerabilities, exploit possibilities are endless,” said Chamberland. “An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.”
The flaw was first discovered on Jan. 23; a patch was released by developers on Jan. 25. Security experts, like James McQuiggan, security awareness advocate at KnowBe4, urge Code Snippets users to update to the latest version of the plugin immediately – particularly as the plugin has a wide install base of 200,000 websites.
“For users and organizations who use WordPress for their website needs, they’ll want to make sure they have the latest and greatest plugins as well as updates for their site to reduce the risk of a data breach or attack,” said McQuiggan. “While this exploit is dangerous, the patch is available and it is highly recommended for website owners to streamline all patches and updates as soon as possible.”
It’s only the latest WordPress plugin to face security issues. Earlier this month two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site’s backend with no password. And in December, plugins Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor were discovered to have a “major” flaw that could give hackers administrative access.