This buggy WordPress plugin allows hackers to lace websites with malicious code
Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.
The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend – and reportedly features on over 100,000 sites.
Uncovered by threat analysts at Wordfence, the exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.
The bug reportedly affects all iterations of the plugin up to version 3.9.
WordPress plugin vulnerability
According to the Wordfence report – which classifies the vulnerability as severe – an assailant can deceive the legitimate administrator into introducing malicious JavaScript to their website by planting a rigged link in a comment or email.
The code would then be triggered automatically “anytime a user navigated to a page that contained the original content,” explained Wordfence.
The automatic nature of the trigger is especially problematic, increasing the potential scope by magnitudes over an attack-type that requires the victim to interact with an illegitimate download, for instance.
“[The infected JavaScript could] be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site,” added Wordfence.
The developer was alerted to the flaw on April 22 and responded with an almost immediate patch, issued a few hours after the disclosure. However, despite the developer’s swift action, only 27,000 users have since updated to version 4.0.2, meaning roughly three quarters of users remain vulnerable.
To avoid falling victim to an attack, WordPress users are advised to update the affected plugin immediately.