Recently, the code snippets plug-in exposed a serious Cross Site Request Forgery (CSRF) vulnerability (cve-2020-8417), affecting more than 200000 WordPress websites.

The vulnerability can be used by attackers to take over WordPress sites (executing malicious code) running the vulnerable plug-in, and there is no need to add custom code to the functions.php file of the topic.

Code snippets also implements a graphical interface, similar to the plug-in menu, for managing code. Just like normal plug-ins, snippets can be activated or disabled.

An attacker can use this CSRF vulnerability to construct a request that can be issued by an administrator, inject malicious code into the vulnerable site, and execute arbitrary code remotely.

"On January 23, our threat intelligence team found a vulnerability in code snippets, a WordPress plug-in installed on more than 200000 websites," wordfence said in a security report. It allows anyone to make a request as an administrator. We revealed all the details of the vulnerability to the plug-in developers on January 24, and they quickly responded and released a security patch a day later. "

The plug-in is currently installed on more than 200000 websites. On January 25, the development team released the latest version 2.14.0.

Wordfence researchers say that almost all endpoints are secure except for the lack of CSRF protection for the plug-in's import capabilities. The attacker can design a malicious request carefully, induce the administrator to click, secretly create a new management account (or steal sensitive information, etc.) on the site.

Security experts also released a PoC video.

On February 12, researchers will release specific POC utilization code, so relevant webmasters need to update plug-ins as soon as possible.

At the time of writing, more than 50000 users have downloaded and installed the latest version of plug-ins, but 150000 users still face considerable security risks.