Code Snippets WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Code Snippets plugin for WordPress, affecting all versions through 3.9.4. The issue arises from a lack of nonce validation on cloud snippet download and update actions within the Cloud_Search_List_Table class. This vulnerability allows unauthenticated attackers to manipulate logged-in administrators into downloading or updating cloud snippets without their knowledge, by sending a crafted request that exploits this oversight.

Impact

Exploitation of this vulnerability could lead to unauthorized downloading or updating of cloud snippets, potentially allowing for the introduction of malicious code or disruption of existing functionality.

Reproduction

To reproduce this vulnerability, an attacker must trick a logged-in administrator into visiting a malicious page. Once the administrator is on the page, the attacker can send a request that takes advantage of the missing nonce validation, forcing the administrator to download or update a cloud snippet without their consent.

Remediation

Users are advised to update the Code Snippets plugin to version 3.9.5 or later, where this vulnerability has been patched.