A serious vulnerability has been discovered in older versions of the popular Code Snippets plugin for WordPress. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. The developers of the plugin have now rolled out an update with a patch. Users are advised to immediately update to Code Snippets version 2.14.0
.
Code Snippets plugin
Code Snippets is a plugin that makes it possible to add extra features to your WordPress website by executing small pieces of PHP code, without the need for a separate plugin for each feature. Many of those “snippets” have already been written. Code Snippets is a handy tool for WordPress users who have little or no programming knowledge. The plugin currently has more than 200,000 active installations.
Vulnerability
According to the team at Wordfence, who have discovered the vulnerability on january 23rd, there was insufficient control in the Code Snippet import tool to guarantee the source and security of the snippets. This allowed users to unknowingly import malicious code, with all its consequences. WordPress sites that run the Code Snippets plugin run the risk of becoming the victim of a so-called cross-site request forgery (CSRF), an attack in which an admin user is tricked into clicking on a malicious link. This triggers unwanted actions. A hacker would then even be able to create a new admin account and completely take over the website in question.
“Code snippets were implicitly set as ‘disabled’ by default upon import. For imported code snippets to be enabled, additional action needed to be taken. This seemed like great news as it appeared no code snippets that were imported as a result of CSRF would actually be executed on the site unless a site administrator enabled that code – which would be unlikely during a CSRF attack. However, we discovered that this protection could easily be bypassed to allow a code snippet to be enabled upon import.
An attacker could simply inject an “active” flag with a value of “1” into the JSON body containing the code import details, and the code snippet would be enabled upon import. This escalated a minor problem into a very severe one, as an attacker could now inject malicious code and ensure it would be activated and executed whenever someone accessed the site.”
The video below shows a proof of concept:
Update
Are you using the Code Snippets plugin? Then login to the administrative backend of your WordPress website and go to Plugins > Update
to update the plugin.
to install the latest version (2.14.0) of the plugin. You can also download and install the latest version from the WordPress.org plugin page.