A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu.

According to the active installations count on its WordPress library entry, the open-source Code Snippets plugin is currently used by more than 200,000 websites. The vulnerability tracked as CVE-2020-8417 and rated as high severity was patched with the release of version 2.14.0 on January 25, two days after it was discovered and reported to the plugin’s developer by Wordfence’s Threat Intelligence team.

This CSRF “flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site,” allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation.

These malicious requests could be used by the attackers to inject malicious code to be executed on the site thus making it possible to create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.

EXPERTS COMMENTS
Niamh Muldoon, Senior Director of Trust and Security, EMEA,  OneLogin
January 30, 2020
Security Automation is hugely beneficial to delivering quick responses to reduce risk exposure.
Security Automation is hugely beneficial to delivering quick responses to reduce risk exposure.

This is an example of the importance of an Enterprise Security Programme, where organisations understand their Information Assets and have an up-to-date Asset Management Inventory. By having these, organisations can prioritise applying patches when "day-zero" type of vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organis
