Over 200,000 WordPress sites have been warned they may have been exposed to a bug that allows hackers to take over the website easily.
The affected sites were all found to be running an unpatched open-source plugin that puts them at risk of attack.
This high severity cross-site request forgery (CSRF) bug has impacted a plugin called Code Snippets which is used to run PHP code snippets offering a graphical user interface that looks similar to the plugins menu.
- This WordPress vulnerability could let hackers hijack your entire site
- It's a jungle out there: Don't leave your WordPress sites in the wild
- WordPress plugins hacked for fake admin accounts
Attacked
The bug, first tracked by security firm Wordfence, allowed attackers to inject a PHP code on behalf of the administrator and execute malicious codes remotely. It also allowed hackers to create new administrator accounts, extract sensitive data, and even infect site users.
Wordfence researchers pointed out that though the developers had followed all the security measures however, the import function in the plugin had a flaw that could be easily compromised.
The vulnerability has been fixed on 25th January, a couple of days later it was reported, with the latest release of the Code Snippet plugin now version 2.14.0. Any admins running an older version of the plugin have been told they must update to the patched version.
As per a WordPress plugin download data of the latest update, approximately 58,000 users have downloaded the updated plugin while over 140,000 users are still on the older version and are vulnerable to hack.
- We've also highlighted the best antivirus software
Via BleepingComputer
