WordPress Plugin Vulnerabilities

Code Snippets < 2.14.0 - CSRF to RCE

Description

This "flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site."

Proof of Concept

Affects Plugins

Plugin icon
code-snippets
Fixed in 2.14.0

References

CVE
CVE-2020-8417
URL
https://www.wordfence.com/blog/2020/01/high-severity-csrf-to-rce-vulnerability-patched-in-code-snippets-plugin/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
0db4c0e7-7556-4e7d-b4b6-54f333ef5f11

Timeline

Publicly Published
2020-01-29 (about 6 years ago)
Added
2020-01-29 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-12-16
Title
Download Plugins and Themes from Dashboard < 1.9.7 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival
Published
2025-05-07
Title
TrueBooker < 1.0.8 - Cross-Site Request Forgery
Published
2023-04-19
Title
Pearl < 1.3.5 - CSRF
Published
2025-06-19
Title
Oganro Travel Portal Search Widget for HotelBeds APITUDE API <= 1.0 - Cross-Site Request Forgery
Published
2022-05-17
Title
Useful Banner Manager <= 1.6.1 - Modify banners via CSRF