A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu.
According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites.
This open-source plugin makes it possible for users to run PHP code snippets on their WordPress sites and it also provides a “graphical interface, similar to the Plugins menu, for managing snippets.”
WordPress Cross-Site Request Forgery
The vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January 25, two days after it was discovered and reported to the plugin’s developer by Wordfence’s Threat Intelligence team.
This CSRF “flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site,” allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation.
“The plugin developer protected nearly all endpoints of this plugin with WordPress ‘nonces’ for greater security,” the Wordfence researchers explain.
“However, the plugin’s import function lacked that same CSRF protection. Without this protection, an attacker could craft a malicious request to trick an administrator into infecting their own site.”
These malicious requests could then be used by the attackers to inject malicious code to be executed on the site thus making it possible to “create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.”
Wordfence provides a video proof of concept walkthrough — embedded above — to showcase the CSRF to RCE vulnerability patched in Code Snippets version 2.14.0.
A proof-of-concept (PoC) exploit will also be published on February 12 to allow the plugin’s users to update.
WordPress admins who are still using Code Snippets version 2.13.3 or earlier are urged to immediately update their installations to the latest version as a defense measure against future attacks that could enable attackers to take full control of their sites.
While the WordPress plugin library doesn’t provide daily downloads stats, roughly 58K users have downloaded and installed the latest version which means that at least 140K WordPress websites running this plugin are still exposed to potential takeover attacks.