Code Snippets WordPress Plugin PHP Code Injection Vulnerability

A PHP code injection vulnerability exists in the Code Snippets plugin for WordPress, affecting all versions through 3.9.1. The issue arises from the plugin's use of the extract() function on shortcode attributes controlled by the attacker, specifically within the 'evaluate_shortcode_from_flat_file' method. This vulnerability allows authenticated attackers with Contributor-level access or higher to overwrite the '$filepath' variable, which is then passed to require_once. By doing so, they can execute arbitrary PHP code on the server via the '[code_snippet]' shortcode, provided they can persuade an administrator to enable the 'Enable file-based execution' setting and create at least one active Content snippet.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can create a Content snippet and use the '[code_snippet]' shortcode. They must ensure that the 'Enable file-based execution' setting is turned on. The vulnerability can then be exploited by crafting a snippet that includes malicious PHP code, which is executed on the server when the snippet is processed.

Remediation

Users are advised to update the Code Snippets plugin to version 3.9.2 or a newer patched version.