Skip to main content

Plugin flaw puts over 200,000 WordPress sites at risk of attack

(Image credit: Pixabay)

Over 200,000 WordPress sites have been warned they may have been exposed to a bug that allows hackers to take over the website easily.

The affected sites were all found to be running an unpatched open-source plugin that puts them at risk of attack.

This high severity cross-site request forgery (CSRF) bug has impacted a plugin called Code Snippets which is used to run PHP code snippets offering a graphical user interface that looks similar to the plugins menu.

Attacked

The bug, first tracked by security firm Wordfence, allowed attackers to inject a PHP code on behalf of the administrator and execute malicious codes remotely. It also allowed hackers to create new administrator accounts, extract sensitive data, and even infect site users.

Wordfence researchers pointed out that though the developers had followed all the security measures however, the import function in the plugin had a flaw that could be easily compromised. 

The vulnerability has been fixed on 25th January, a couple of days later it was reported, with the latest release of the Code Snippet plugin now version 2.14.0. Any admins running an older version of the plugin have been told they must update to the patched version.

As per a WordPress plugin download data of the latest update, approximately 58,000 users have downloaded the updated plugin while over 140,000 users are still on the older version and are vulnerable to hack.

Via BleepingComputer