A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu.
According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites. The vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January 25, two days after it was discovered and reported to the plugin’s developer by Wordfence’s Threat Intelligence team.
This CSRF “flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site,” allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation.
These malicious requests could be used by the attackers to inject malicious code to be executed on the site thus making it possible to create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.