WordPress Plugin Vulnerability Report – Code Snippets – Cross-Site Request Forgery via load
Plugin Name: Code Snippets
Key Information:
- Software Type: Plugin
- Software Slug: code-snippets
- Software Status: Active
- Software Author: bungeshea
- Software Downloads: 8,867,266
- Active Installs: 800,000
- Last Updated: November 6, 2023
- Patched Versions: 3.6.0
- Affected Versions: < 3.6.0
Vulnerability Details:
- Name: Code Snippets <= 3.5.0 - Cross-Site Request Forgery via load
- Type: Cross-Site Request Forgery (CSRF)
- CVSS Score: 5.4 (Medium)
- Publicly Published: November 6, 2023
- Description: The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.5.0. This is due to missing or incorrect nonce validation on the load function. This makes it possible for unauthenticated attackers to reset plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Summary:
The Code Snippets plugin for WordPress has a vulnerability in versions up to and including 3.5.0 that allows unauthenticated attackers to reset plugin settings via a forged request. This vulnerability has been patched in version 3.6.0.
Detailed Overview:
The Code Snippets plugin, which allows users to add code snippets to their WordPress site, is affected by a cross-site request forgery (CSRF) vulnerability. This was publicly disclosed on November 6, 2023 and affects all versions prior to 3.6.0. The vulnerability is caused by missing or incorrect nonce validation on the load function, which handles import and reset actions in the plugin. This makes it possible for an attacker to trick an admin into clicking a link that will send a forged request to reset snippets or import malicious code. If exploited, this could allow the attacker to insert backdoors, spam code, or other malicious snippets into a vulnerable site. The risk is escalated by the fact that Code Snippets has over 800,000 active installs. Users are strongly advised to update as soon as possible to version 3.6.0 which contains the fix.
Advice for Users:
- Immediate Action: Update to version 3.6.0 or higher as soon as possible.
- Check for Signs of Vulnerability: Review your code snippets for any unauthorized or suspicious code that may have been added via this vulnerability.
- Alternate Plugins: Consider using alternate plugins like Insert Headers and Footers or WP Javascript Snippets as a precaution.
- Stay Updated: Always keep your plugins updated, especially when notified of vulnerabilities.
Conclusion:
The quick response from the developers to patch this CSRF vulnerability shows their commitment to security. Users should promptly update to the latest version to prevent any potential compromise of their sites.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/code-snippets
Detailed Report:
Staying on top of website security is a never-ending task. New vulnerabilities in popular software are discovered constantly, underscoring the importance of prompt patching and updating. This week a concerning vulnerability has been revealed in the highly popular WordPress plugin, Code Snippets.
This plugin, which is active on over 800,000 WordPress sites, is susceptible to a cross-site request forgery (CSRF) vulnerability in all versions prior to 3.6.0. This flaw allows attackers to remotely reset plugin settings and insert malicious code snippets onto vulnerable websites. Left unpatched, this vulnerability poses a serious risk of site takeover and injection of spam, phishing content, or other threats.
About the Plugin
Code Snippets is a widely used WordPress plugin with over 8 million downloads and 800,000 active installs. It allows users to easily add code snippets like HTML, JavaScript, CSS, and PHP to their sites. The plugin is actively maintained and was last updated on November 6, 2023.
The Vulnerability
Researchers discovered a CSRF vulnerability affecting Code Snippets versions 3.5.0 and below. The vulnerability is caused by missing nonce validation on the load function which handles import and reset actions. This allows attackers to forge requests that can reset plugin settings or import malicious code snippets.
Risks and Impacts
This vulnerability, if exploited, gives attackers remote access to reset plugin settings and inject malicious code onto vulnerable sites. Attackers could leverage it to add backdoors, spam code, or phishing content. For site owners, this poses a serious risk of site takeover, data theft, or distribution of malware to site visitors.
How to Update
The developer has patched the issue in version 3.6.0. Users should update their installations to the latest version immediately. You can do this automatically through the WordPress dashboard or by manually downloading the latest version from the plugin repository. Be sure to backup your site first.
After updating, check your existing code snippets for any unauthorized or suspicious additions. Also consider using alternate plugins like Insert Headers and Footers or WP Javascript Snippets as a temporary precaution.
Past Vulnerabilities
This is the 5th vulnerability found in the plugin since July 2016. The regular discovery of flaws reinforces the need to promptly update WordPress, themes, and plugins.
The Importance of Security Updates
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.