A vulnerability in the Real-Time Find and Replace WordPress plugin could be exploited by attackers to create rogue admin accounts.
The Real-Time Find and Replace WordPress plugin is currently installed on over 100,000 sites, it allows users to dynamically (i.e. at the time when a page is generated) replace code and text from themes and other plugins with code and text of their choice before a page is delivered to a user’s browser.
The find and replace happens in real-time, this means that it could be done without changing plugins and themes, making upgrades easy.
The vulnerability was discovered by Wordfence researchers, it is a Cross-Site Request Forgery flaw that could lead to Stored Cross-Site Scripting (Stored XSS) attacks.
WordFence reported the issue to the plugin development team on April 22, 2020, and they released a patch just a few hours.
Wordfence rated the vulnerability as a high severity issue and assigned it a CVSS score of 8.8.
The flaw impacts all Real-Time Find and Replace versions up to 3.9, the developer addressed the issue with the release of the version 4.0.2.
The vulnerability could allow attackers to take over the targeted WordPress site, the malicious code would then execute anytime a user navigated to a page that contained the original content.
Experts explained that to replace content before the website data is sent to the users’ browser, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to activate_plugins.
The far_options_page function includes the code for adding new find and replace rules, but experts noticed that it failed to use nonce verification, this means that it was not able to check the integrity of a request’s source during rule update. This means that an attacker could launch a Cross-Site Request Forgery attack.
Users should immediately update to version 4.0.2, at the time, less than 30K users gave updated their Real-Time Find and Replace installations to 4.0.2.
Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.
A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:
I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – WordPress, hacking)