wordpress sites at risk after code snippet plugin is hacked
Over 200,000 WordPress sites have been warned they may have been exposed to a bug that allows hackers to take over the website easily.
The affected sites were all found to be running an unpatched open-source plugin that puts them at risk of attack.
This high severity cross-site request forgery (CSRF) bug has impacted a plugin called Code Snippets which is used to run PHP code snippets offering a graphical user interface that looks similar to the plugins menu.
The bug, first tracked by security firm Wordfence, allowed attackers to inject a PHP code on behalf of the administrator and execute malicious codes remotely. It also allowed hackers to create new administrator accounts, extract sensitive data, and even infect site users.
Wordfence researchers pointed out that though the developers had followed all the security measures however, the import function in the plugin had a flaw that could be easily compromised.
The vulnerability was fixed on 25th January, a couple of days later it was reported, with the latest release of the Code Snippet plugin now version 2.14.0. Any admins running an older version of the plugin have been told they must update to the patched version.
As per a WordPress plugin download data of the latest update, approximately 58,000 users have downloaded the updated plugin while over 140,000 users are still on the older version and are vulnerable to hack.
what do you think of the hundreds of wordpress sites at risk after code snippet plugin is hacked
My view as the radar Guy:
If you are a site admin, it is always oto make it a habit updating your plugins as frequently as immediately you get alerted. since some plugins may not send you update notifications. Consider installing and activating some superior security plugins like word-fence.