A high-severity cross-site request forgery (CSRF) vulnerability allegedly affects Real-Time Find and Replace plugin. More than 100,000 active sites use the WordPress plugin. The vulnerability could trigger cross-site scripting and malicious injections of JavaScript anywhere on the victim’s website.

Real-Time Find and Replace

The injection of malicious code may be used to build a new administrative user account, to steal session cookies, to redirect users to a malicious site, to obtain administrative access, or infect innocent visitors who browse a compromised site with a drive-by malware attack, according to Wordfence research released Monday.

Real-Time Find and Replace helps administrators to automatically update any HTML content on WordPress pages. With new content without altering the source content permanently, right before a page sent to a user’s browser. Whenever a user navigates to a page that includes the original content, any replacement code or material executes.

“To provide this functionality, the plugin registers a sub-menu page tied to the function far_options_page. With a capability requirement to ‘activate_plugins,’” explained Wordfence researcher Chloe Chamberland, in a Monday posting. “The far_options_page function contains the core of the plugin’s functionality for adding new find-and-replace rules. Unfortunately, that function failed to use nonce verification. So the integrity of a request’s source was not verified during rule update, resulting in a CSRF vulnerability.”

Cross-site request forgery attacks (in short, CSRF or XSRF). Used to send malicious requests to a web server from an authenticated user. A successful exploit of the vulnerability, therefore, involves user interaction: According to Wordfence, an attacker will have to trick the administrator of a site into clicking on a malicious connection in a comment or email.

She added that attackers could wreak havoc especially if they were using the bug to replace the <head> HTML tag with malicious JavaScript. Since most sites have an <head> HTML tag for the header of the page, this will allow the malicious code to be executed on each page of the affected site until replaced.

Updating to the latest version 4.0.2 of the plugin will introduce a patch for this problem.

“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function. To ensure the legitimacy of the source of a request,” said Chamberland.

This is not the first time

WordPress plugins tend to make headlines as weak links that can lead to compromised websites. For example, a pair of (one of them critical) security vulnerabilities in the WordPress search engine optimization (SEO) plugin known as Rank Math found in April.

According to researchers, they could allow remote cyber criminals to elevate privileges and install malicious redirects to a target site. RankMath is a WordPress plugin with over 200,000 installations.

In March, a crucial vulnerability found in a WordPress plugin known as “ThemeREX Addons”. Which could open the door in 44,000 websites for remote execution of code.

Also in March, is a common WordPress plugin Popup Builder, two vulnerabilities-one a high-severity bug patched. The more severe vulnerability could allow an unauthenticated attacker to inject malicious JavaScript. Into a popup-potentially opening up more than 100,000 websites to take over.

In February, a famous WordPress plugin Duplicator, which has over 1 million active installs. Also discovered to have an unauthenticated flaw. In the arbitrary download of files that were being targeted.

And, earlier this month, a critical flaw was disclosed in a famous WordPress plugin which helps to make websites compliant with the General Data Protection Regulation (GDPR). The vulnerability could allow attackers to edit content or insert malicious JavaScript code into victim websites. It had been impacting 700,000 locations.