Wordfence experts discovered dangerous CSRF vulnerability (CVE-2020-8417) as part of the popular Code Snippets plugin for WordPress . Essentially, the bug allows an attacker to gain full control over a vulnerable resource.
According to official statistics of WordPress, open source Code Snippets is installed on more than 200,000 sites. The plugin is designed to run PHP snippets on WordPress sites, and also provides a convenient graphical interface for managing them, similar to the Plugins menu.
The vulnerability allowed attackers to forge requests on behalf of an administrator and inject code into vulnerable sites, which ultimately led to remote arbitrary code execution on sites with vulnerable versions of Code Snippets. The attacker would be able to create a new administrator account, gain access to confidential data, attack visitors to the resource, and so on.
Researchers say that in general, the plugin developer did a good job of protecting almost all endpoints with WordPress nonces, but the import function did not have such protection from CSRF. Thus, an attacker could force an administrator to infect their own site using a specially crafted malicious request.
The CSRF-RCE issue has now been fixed with the release of Code Snippets version 2.14.0. According to official statistics, approximately 58,000 users have already downloaded and installed the latest version of the plugin, which means that at least 140,000 sites are still vulnerable to attacks. .
A video demonstrating the PoC attack can be seen below. The researchers promised to publish the exploit on February 12, wanting to give plug-in users more time to install updates.