On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the plugin’s developer on January 24th, who was quick to respond and released a patch one day later.
This is a high severity security issue that could cause complete site takeover, information disclosure, and more. We highly recommend updating to the latest version (2.14.0) immediately.
Wordfence Premium customers received a new firewall rule on January 24th to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days on February 23rd.
Lack of CSRF Protection to Complete WordPress Site Takeover
Code Snippets is a handy and easy to use plugin that allows users to add code snippets to a WordPress site in order to customize site functionality without having to navigate the site’s underlying code. It makes it easy to enable and disable code snippet functionality in order to test adding new code to a WordPress site.
The plugin developer protected nearly all endpoints of this plugin with WordPress “nonces” for greater security. However, the plugin’s import function lacked that same CSRF protection. Without this protection, an attacker could craft a malicious request to trick an administrator into infecting their own site. This request would execute an action, send a request to the site, and the attacker’s malicious code could be injected and executed on the site. With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.
Defaults Can Be Bypassed
Code snippets were implicitly set as ‘disabled’ by default upon import. For imported code snippets to be enabled, additional action needed to be taken. This seemed like great news as it appeared no code snippets that were imported as a result of CSRF would actually be executed on the site unless a site administrator enabled that code – which would be unlikely during a CSRF attack. However, we discovered that this protection could easily be bypassed to allow a code snippet to be enabled upon import.
An attacker could simply inject an "active" flag with a value of "1" into the JSON body containing the code import details, and the code snippet would be enabled upon import. This escalated a minor problem into a very severe one, as an attacker could now inject malicious code and ensure it would be activated and executed whenever someone accessed the site.
The developer corrected this so that code snippets would always be disabled upon import explicitly, rather than using a more implicit technique to disable snippets upon import found in vulnerable versions of the plugin.
Proof of Concept Walkthrough
We’ve created this short video to show how this vulnerability could be exploited and what the potential impact could be.
Firewall Rule Impact Disclosure
We encountered some restrictions while trying to write a firewall rule to protect against this vulnerability. CSRF vulnerabilities can be hard to protect against without blocking normal functionality for site administrators as these types of vulnerabilities require an administrator to be logged in and unknowingly execute an action to send a request. From a firewall perspective, this means exploit attempts appear to come from a legitimate, logged-in source.
Due to the risk associated with the vulnerability, we opted to completely block the functionality of the import feature, which means that Wordfence users may experience a false positive block when trying to import code snippets if using a vulnerable version of this plugin.
Fortunately, the plugin developer changed the endpoint associated with the import functionality, ensuring that updated versions will not encounter any false positive blocks by the Wordfence Firewall. As always, we highly recommend updating to the latest version of this plugin – not only for the security of your site, but also to preserve functionality.
January 23rd, 2020 – Vulnerability initially discovered and analyzed. Initial reach to developer. January 23rd, 2020 – Developer confirms appropriate inbox for handling discussion. January 24th, 2020 – Full report sent to developer. Firewall rule released for Wordfence Premium users. January 24th, 2020 – Developer confirms details and begins working on patch. January 25th, 2020 – Patch released. February 23rd, 2020 – Wordfence free users receive firewall rule.
In today’s post, we detailed a CSRF to RCE vulnerability in the Code Snippets plugin. This flaw has been patched in version 2.14.0 and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since January 24th. Sites running the free version of Wordfence will receive the firewall rule update on February 23rd, 2020.
Special thanks to the plugin developer, Shea Bunge, for responding promptly and reacting swiftly to get a patch out a day after full disclosure.