A high-severity Cross Site Request Forgery (CSRF) vulnerability in the WordPress plugin Real-Time Find and Replace has been discovered. The WordPress plugin flaw leaves over 100,000 websites that use the plugin open to attack. For instance, the plugin could allow hackers to create rogue administrator accounts and inject malicious code on WordPress websites.
Real-Time Find and Replace Plugin
The WordPress Real-Time Find and Replace plugin is currently installed on over 100,000 WordPress websites. The plugin allows users to temporarily replace text and code of their website’s content, themes and other plugins in real-time.
The find and replace happens dynamically without the user having to permanently change their site’s source code, themes or content. Consequently, this simplifies making upgrades to plugins and themes. The text or code is replaced by the plugin at the time when the page is generated, just before it is delivered to the browser.
Therefore, any replaced code or content executes whenever users navigate to a page that contains the original code or content.
The WordPress Plugin’s Flaw
The CSRF vulnerability in the WordPress Real-Time Find and Replace plugin was discovered by Wordfence’s threat intelligence team. The vulnerability allows hackers to use cross-site scripting to inject malicious code on WordPress websites. Furthermore, the flaw could allow hackers to create rogue administrator accounts.
Consequences of the Vulnerability
The report also explains that malicious code injections can be used by hackers to give themselves administrator access to the infected website, steal session cookies, redirect users to malicious sites or infect visitors to the site with malware.
Cause of Plugin Vulnerability
The cause of the vulnerability was a missing nonce verification in the “far_options_page” function of the plugin. This function contains the core of the plugin’s functionality for adding new find and replace rules. As a nonce verification was missing “the integrity of a request’s source was not verified during rule update, resulting in a Cross-Site Request Forgery vulnerability,” Chloe Chamberland, a researcher at Wordfence explained.
How to Fix the Flaw
The vulnerability impacts all Real-Time Find and Replace plugin versions up to version 3.9.
The plugin’s developers addressed the flaw by releasing a full patch for the plugin within a few hours of the initial disclosure report. The patch for the vulnerability is provided in version 4.0.2 of the plugin. In this latest version “… a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” said Chamberland.
Therefore, to fix the WordPress plugin’s vulnerability, users of the plugin are advised to update their plugin to version 4.0.2 immediately.