A high-severity vulnerability exists in a popular WordPress plugin, potentially opening up 200,000 websites to takeover.
The WordPress plugin in question in
Code Snippets, which allows users to run small chunks of PHP code on their websites. This can be used to extend the functionality of the website (essentially used as a mini-plugin). The flaw (CVE-2020-8417) has been patched by the plugin’s developer, Code Snippets Pro.
“This is a high severity security issue that could cause complete site takeover, information disclosure, and more,” said Chloe Chamberland with Wordfence, who discovered the flaw, in
an analysis this week. “We highly recommend updating to the latest version (2.14.0) immediately.”
Code Snippets offers an import menu for importing code onto the website. However, researchers found that the import menu had a missing referrer check, which allows a webpage to see where requests originated. That means malicious code could be enabled upon import.
That opens affected websites up to cross-site request forgery (CSRF), an attack that forces a victim (once they click on a malicious link) to execute unwanted actions on web applications in which they’re currently authenticated.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
