Security News > 2020 > January > Flaw in 'Code Snippets' Plugin Exposed Many WordPress Sites to Attacks
Popular WordPress plugin Code Snippets recently received a patch for a high-severity vulnerability that can be exploited to take control of affected websites.
The Code Snippets plugin, which has over 200,000 installations, provides admins with a graphical interface to run PHP code on their WordPress-powered websites by removing the need to add custom snippets to the theme's functions.
While the plugin would set all code snippets as 'disabled' by default upon import, thus offering protection by requiring explicit admin action to enable them, the researchers discovered that it was easy to bypass the protection and allow code snippets to be enabled upon import.
Code Snippets version 2.14.0 corrects the vulnerability and site admins are encouraged to update to the patched iteration as soon as possible.
"The developer corrected this so that code snippets would always be disabled upon import explicitly, rather than using a more implicit technique to disable snippets upon import found in vulnerable versions of the plugin," Wordfence explains.