Vulnerability in Code Snippets, WordPress plugin, affects more than 200,000 websites

WordPress is the world’s most popular content management system (CMS), and administrators of these sites use a wide range of plugins to add & modify some aesthetic aspects and functionalities, generating a complementary work ecosystem. However, like any other software development, WordPress plugins can present security vulnerabilities that cybercriminals seek to exploit for their own benefit.

This time, digital forensics experts report the finding of a security vulnerability in Code Snippets, a popular plugin that currently has at least 200k active installations. Thanks to this plugin, administrators can add the “Snippets” option to their WordPress menu, allowing them to manage, add or import code snippets.

If exploited, the vulnerability would allow any user to forge requests on behalf of the administrator, which could inject malicious code into the target website.

The vulnerability is serious and, in the worst cases, could allow threat actors to take full control of the affected site. As these are flaws in widely used tools, digital forensics experts must act promptly and start working on correcting vulnerabilities before cybercriminals find a way to exploit these flaws.

The vulnerability appears to be present in all versions of Code Snippets prior to 2.13.3; plugin maintainers received the report soon after, so the bug will be corrected with the release of version 2.14.0.

What does it mean?

Cross-site request forgery (usually abbreviated as XSRF) occurs when unauthorized commands are sent from a user trusted by a particular web application. When a site is vulnerable to this flaw, it is possible to trick the administrator into creating a high-privileged account or, failing that, the hacker can infect visitors to the compromised website, extract their login credentials and other data mentioned by digital forensics experts.

So far, there are no known cases of exploitation in the wild; however, users of this plugin are strongly encouraged to upgrade to the latest version available.