Security researchers have discovered a vulnerability in a WordPress plugin that enables attackers to forge a request on behalf of an administrator and inject executable code on a vulnerable site.
According to a blog post by researchers at Wordfence, the flaw is in Code Snippets, a WordPress plugin installed on over 200,000 sites. This plugin enables websites to run PHP code and extend functionality.
The vulnerability is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE). Researchers said that the plugin’s developer had protected nearly all endpoints of this plugin with WordPress “nonces” for greater security. However, the plugin’s import function lacked that same CSRF protection. Without this protection, an attacker could craft a malicious request to trick an administrator into infecting their own site.
“This request would execute an action, send a request to the site, and the attacker’s malicious code could be injected and executed on the site. With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more,” said Chloe Chamberland. A WordPress security researcher at WordFence.
She added that a hacker could simply inject an “active” flag with a value of “1” into the JSON body containing the code import details, and the code snippet would be enabled upon import.
“This escalated a minor problem into a very severe one, as an attacker could now inject malicious code and ensure it would be activated and executed whenever someone accessed the site,” she said.
A patch for this flaw was released on 25 January.
Niamh Muldoon, senior director of Trust and Security, EMEA at OneLogin, told SC Media UK that this is an example of the importance of an enterprise security programme, where organisations understand their Information Assets and have an up-to-date asset management inventory.
“By having these, organisations can prioritise applying patches when “day-zero” type of vulnerabilities and/or bugs like this are announced,” she said. “The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the exposed website, ie payments, authentication credentials and PII data.”
Peter Draper, technical director EMEA at Gurucul, told SC Media UK that many organisations have systems which rely on the addition of open source components such as this.
“The challenge is that not all developers are as focused on security as they should be. However, as we know, not everyone running WordPress, unless running through a service provider who manages the updates for them, can deploy this quickly, or even at all. if you are responsible for any WordPress site and are using plugins or code snippets (which will be a significant portion of WordPress users) then it is incumbent on you to fully test and scan your site before releasing into production to ensure that vulnerabilities like this do not become ‘part of your world’,” he said.