A serious security flaw discovered in a WordPress plugin risked over 100,000 websites. Researchers identified it as an XSS vulnerability in the Real-Time Find and Replace plugin.
Real-Time Find and Replace Plugin Vulnerability
The security team from Wordfence found another vulnerable WordPress plugin. This time, it is the Real-Time Find and Replace plugin that had contained an XSS vulnerability affecting thousands of websites. Exploiting the flaw could allow an attacker to gain administrative access to the site and perform malicious activities.
Real-Time Find and Replace plugin helps to replace HTML content on WordPress sites without permanently changing the source content.
As elaborated in the blog post, the bug existed in the far_options_page function of the plugin.
far_options_pagefunction contains the core of the plugin’s functionality for adding new find and replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request’s source was not verified during rule update, resulting in a Cross-Site Request Forgery vulnerability.
An attacker could replace HTML content on the target website with malicious code which could execute every time a user would navigate to the page. Through this code, the attacker could easily create new admin accounts, redirect visitors to malicious sites, and intercept session cookies.
Bug Fixed – Update Now!
Upon finding the vulnerability, Wordfence contacted the plugin developers who then patched the flaw. Explaining the fix, the researchers stated,
In the most up to date version, a nonce has been added along with a
check_admin_referernonce verification function to ensure the legitimacy of the source of a request.
The plugin website changelog also states that the version 4.0.2 includes the fix for the bug. Users should thus ensure that their sites are running the latest version of the Real-Time Find and Replace plugin to avoid any exploit.
Let us know your thoughts in the comments.