Security researchers discovered a severe vulnerability present in older versions of the popular WordPress plugin Code Snippets that could allow attackers to take over a person’s website remotely. The plugin’s developers have issued a patch to fix the bug, but there are still over 200,000 websites at risk.
Code Snippets allows WordPress sites to run small bits of PHP code to add extra features without needing extra plugins, and you can even use pre-written code to make the process easy. It’s a helpful tool for folks who may not have the programming skills to write plugins themselves, but as Threat Post explains in its report of the bug, Code Snippet’s import tool fails to check the source and safety of the code first, meaning users could unwittingly import and run malicious code. This could open their sites up to various attacks—including allowing hackers to execute commands without administrator access.
It’s a scary bug, but it’s fixable. If your WordPress page uses Code Snippets, you should update the plugin right away—especially before adding or running any new code to your site. You can grab the update by logging into your website’s backend then going to the “Updates” section from the WordPress dashboard. You can also download and install the latest version from Code Snippet’s WordPress Plugins page.