CVE-2024-3105 (CVSS 9.9) in Woody Code Snippets Plugin Threatens 70,000+ WordPress Sites

A critical security vulnerability has been discovered in the Woody Code Snippets plugin for WordPress, a popular tool used by over 70,000 websites to create and manage code snippets. The flaw, identified as CVE-2024-3105, allows remote code execution (RCE) and poses a severe risk to websites using this plugin. With a CVSS score of 9.9, this vulnerability can be exploited by authenticated users with contributor-level access or higher, potentially allowing them to execute arbitrary code on the server.

The Woody Code Snippets plugin helps administrators insert code snippets or duplicated text into various parts of a website, such as the header, footer, and posts, using shortcodes. The plugin also offers conditional logic to control the display of these snippets. However, the plugin’s insert_php shortcode functionality does not properly restrict its use to high-level authorized users, creating an opening for lower-privileged users to exploit this feature.

Due to the lack of adequate permission checks, contributors and above can leverage the insert_php shortcode to execute arbitrary PHP code on the server. This could lead to complete server compromise, data theft, website defacement, or further propagation of malware.

Security researcher Webbernaut has been credited with discovering and reporting this flaw.

Developers of Woody code snippets have released version 2.5.1 to address the CVE-2024-3105 vulnerability. All users of the plugin are urged to update to this version immediately to protect their websites from potential attacks.

Website owners and administrators should also monitor their sites for any suspicious activity, such as unexpected changes in content or unauthorized user accounts. If any signs of compromise are detected, immediate action should be taken to secure the site and investigate the extent of the damage.