A high-severity flaw exists in Code Snippets WordPress plugin leaves over 200,000 websites o0pen to takeover. Code Snippets allows users to run small chunks of PHP code on websites. This can be used to extend the functionality of the website. The flaw (CVE-2020-8417) has been patched by the plugin’s developer, Code Snippets Pro.
Code Snippets offers an import menu for importing code onto the website. Researchers found that the import menu had a missing referrer check, which allows a webpage to see where requests originated. That means malicious code could be enabled with an import. This opens affected websites up to cross-site request forgery, an attack that forces a victim to execute unwanted actions on web applications in which they're currently authenticated.
This is a high severity security issue that could cause complete site takeover, information disclosure, and more. The flaw was first discovered on Jan. 23; a patch was released by developers on Jan. 25. It is highly recommended that administrators update to the latest version, 2.14.0, immediately. This is only the latest WordPress plugin to face security issues.