A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu.

According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites. The vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January 25, two days after it was discovered and reported to the plugin’s developer by Wordfence’s Threat Intelligence team.

This CSRF “flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site,” allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation.

These malicious requests could be used by the attackers to inject malicious code to be executed on the site thus making it possible to create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.

Experts Comments

January 31, 2020
James McQuiggan
Security Awareness Advocate
KnowBe4
For users and organizations who use WordPress for their website needs, they'll want to make sure they have the latest and greatest plugins as well as updates for their site to reduce the risk of a data breach or attack. While this exploit is dangerous, the patch is available and it is highly recommended for website owners to streamline all patches and updates as soon as possible. The website is an organization's "front door" to the world and if they don't keep their home secure, they risk.....Read More
For users and organizations who use WordPress for their website needs, they'll want to make sure they have the latest and greatest plugins as well as updates for their site to reduce the risk of a data breach or attack. While this exploit is dangerous, the patch is available and it is highly recommended for website owners to streamline all patches and updates as soon as possible. The website is an organization's "front door" to the world and if they don't keep their home secure, they risk someone breaking into their home and stealing valuables. Like a home, the website must be secured and one easy way is to update the plugins and software on a regular basis. Failure to keep the website software up to date can lead to hackers quickly gaining access to the site and stealing data, or defacing the site. Best practices are to monitor and keep up to date on any WordPress updates, or plugin updates to the software.  Read Less
January 31, 2020
Peter Draper
Technical Director, EMEA
Gurucul
A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu. According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites.he vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January .....Read More
A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu. According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites.he vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January 25, two days after it was discovered and reported to the plugin's developer by Wordfence's Threat Intelligence team. This CSRF "flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site," allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation. These malicious requests could be used by the attackers to inject malicious code to be executed on the site thus making it possible to create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more. The full story can be found here: https://www.bleepingcomputer.com/news/security/200k-wordpress-sites-exposed-to-takeover-attacks-by-plugin-bug/  Read Less
January 31, 2020
Jake Moore
Cybersecurity Specialist
ESET
This is a huge threat to a webmaster, as it is extremely easy for a threat actor to exploit and take advantage of a website with this particular plugin if it is unpatched. WordPress plugins should always be monitored closely by the owners and updated as soon as possible with the patch, which is now available. It is critical to keep a close eye on all areas of a website and never to feel complacent. Some websites are not looked after in-house, so it is advised to make sure your website is.....Read More
This is a huge threat to a webmaster, as it is extremely easy for a threat actor to exploit and take advantage of a website with this particular plugin if it is unpatched. WordPress plugins should always be monitored closely by the owners and updated as soon as possible with the patch, which is now available. It is critical to keep a close eye on all areas of a website and never to feel complacent. Some websites are not looked after in-house, so it is advised to make sure your website is monitored by someone who is on top of security issues and aware of current threats, as well as the updates available. Although a password was not needed for this particular exploit, using the WordPress in-app two factor verification security on your device will add another layer of protection to help keep your site safe and secure.  Read Less
January 30, 2020
Niamh Muldoon
Senior Director of Trust and Security, EMEA
OneLogin
This is an example of the importance of an Enterprise Security Programme, where organisations understand their Information Assets and have an up-to-date Asset Management Inventory. By having these, organisations can prioritise applying patches when “day-zero” type of vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the .....Read More
This is an example of the importance of an Enterprise Security Programme, where organisations understand their Information Assets and have an up-to-date Asset Management Inventory. By having these, organisations can prioritise applying patches when “day-zero” type of vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the exposed website, i.e. payments, authentication credentials and PII data. Security Automation is hugely beneficial to delivering quick responses to reduce risk exposure. Multi-Factor Authentication (MFA) plays a role in reducing the risk of this vulnerability being exploited, exposing critical data. However, that is dependent on the second and third factor types, i.e. token type and how they have been implemented/configured with the WordPress Site.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.