Popular WordPress plugin Code Snippets recently received a patch for a high-severity vulnerability that can be exploited to take control of affected websites.
The Code Snippets plugin, which has over 200,000 installations, provides admins with a graphical interface to run PHP code on their WordPress-powered websites by removing the need to add custom snippets to the theme’s functions.php file.
The recently discovered security flaw, Wordfence’s security researchers reveal, essentially allowed for attackers “to forge a request on behalf of an administrator and inject executable code on a vulnerable site.” This could result in attackers taking complete control of a website.
What the researchers discovered was that the plugin’s import function did not feature cross-site request forgery (CSRF) protection, which allowed attackers to trick admins into infecting their own site by crafting malicious requests.
Such a request would execute an action and send a request to the site, thus allowing for the attacker’s malicious code to be injected and executed.
“With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more,” Wordfence says.
While the plugin would set all code snippets as ‘disabled’ by default upon import, thus offering protection by requiring explicit admin action to enable them, the researchers discovered that it was easy to bypass the protection and allow code snippets to be enabled upon import.
For that, the attacker would only need to inject an "active" flag with a value of "1" into the JSON body that contains the code import details, which would result in the code snippet being automatically enabled upon import. ..
Support the originator by clicking the read the rest link below.
