Comment: WordPress Plugin Bug Exposes 200K+ Sites

By   ISBuzz Team
Writer , Information Security Buzz | Jan 30, 2020 07:00 am PST

A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu.

According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites. The vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January 25, two days after it was discovered and reported to the plugin’s developer by Wordfence’s Threat Intelligence team.

This CSRF “flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site,” allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation.

These malicious requests could be used by the attackers to inject malicious code to be executed on the site thus making it possible to create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.

Subscribe
Notify of
guest
4 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
James McQuiggan
James McQuiggan , Security Awareness Advocate
January 31, 2020 11:14 am

For users and organizations who use WordPress for their website needs, they\’ll want to make sure they have the latest and greatest plugins as well as updates for their site to reduce the risk of a data breach or attack. While this exploit is dangerous, the patch is available and it is highly recommended for website owners to streamline all patches and updates as soon as possible.

The website is an organization\’s \”front door\” to the world and if they don\’t keep their home secure, they risk someone breaking into their home and stealing valuables. Like a home, the website must be secured and one easy way is to update the plugins and software on a regular basis. Failure to keep the website software up to date can lead to hackers quickly gaining access to the site and stealing data, or defacing the site. Best practices are to monitor and keep up to date on any WordPress updates, or plugin updates to the software.

Last edited 4 years ago by James McQuiggan
Peter Draper
Peter Draper , Technical Director, EMEA
January 31, 2020 10:42 am

A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu.

According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites.he vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January 25, two days after it was discovered and reported to the plugin\’s developer by Wordfence\’s Threat Intelligence team.

This CSRF \”flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site,\” allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation.

These malicious requests could be used by the attackers to inject malicious code to be executed on the site thus making it possible to create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.

The full story can be found here: https://www.bleepingcomputer.com/news/security/200k-wordpress-sites-exposed-to-takeover-attacks-by-plugin-bug/

Last edited 4 years ago by Peter Draper
Jake Moore
Jake Moore , Global Cyber Security Advisor
January 31, 2020 10:40 am

This is a huge threat to a webmaster, as it is extremely easy for a threat actor to exploit and take advantage of a website with this particular plugin if it is unpatched. WordPress plugins should always be monitored closely by the owners and updated as soon as possible with the patch, which is now available.

It is critical to keep a close eye on all areas of a website and never to feel complacent. Some websites are not looked after in-house, so it is advised to make sure your website is monitored by someone who is on top of security issues and aware of current threats, as well as the updates available.

Although a password was not needed for this particular exploit, using the WordPress in-app two factor verification security on your device will add another layer of protection to help keep your site safe and secure.

Last edited 4 years ago by Jake Moore
Niamh Muldoon
Niamh Muldoon , Senior Director of Trust and Security, EMEA
January 30, 2020 3:02 pm

This is an example of the importance of an Enterprise Security Programme, where organisations understand their Information Assets and have an up-to-date Asset Management Inventory. By having these, organisations can prioritise applying patches when “day-zero” type of vulnerabilities and/or bugs like this are announced.

The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the exposed website, i.e. payments, authentication credentials and PII data.

Security Automation is hugely beneficial to delivering quick responses to reduce risk exposure. Multi-Factor Authentication (MFA) plays a role in reducing the risk of this vulnerability being exploited, exposing critical data. However, that is dependent on the second and third factor types, i.e. token type and how they have been implemented/configured with the WordPress Site.

Last edited 4 years ago by Niamh Muldoon

Recent Posts

4
0
Would love your thoughts, please comment.x
()
x