Information security researchers have recently discovered a vulnerability inherent in previous versions of popular WordPress plugin Code Snippets. This loophole could allow malicious actors to remotely takeover a person’s website. Although the plugin developers have issued a patch for the bug, more than 200,000 websites are still at risk.
The Code Snippets plugin enables WordPress sites to execute bits of PHP code to add extra features without needing other plugins; you can also use pre-written code to make the process easier. It’s helpful for people who aren’t familiar with programming skills to write plugins. As Threat Post explains, Code Snippet’s import tool fails to check the source/safety of a code prior to import, meaning users could unknowingly import and execute malicious code thus paving the way for hackers to execute commands even without admin access.
It’s scary but can be fixed. If your WordPress blog/site uses Code Snippets, update the plugin right away.
Login to your site then go to the Updates section from the dashboard. You can also click here to install the latest version of the Code Snippets WordPress plugin.
