The injection of malicious code may be used to build a new administrative user account, to steal session cookies, to redirect users to a malicious site, to obtain administrative access, or infect innocent visitors who browse a compromised site with a drive-by malware attack, according to Wordfence research released Monday.
Real-Time Find and Replace helps administrators to automatically update any HTML content on WordPress pages. With new content without altering the source content permanently, right before a page sent to a user’s browser. Whenever a user navigates to a page that includes the original content, any replacement code or material executes.
“To provide this functionality, the plugin registers a sub-menu page tied to the function far_options_page. With a capability requirement to ‘activate_plugins,’” explained Wordfence researcher Chloe Chamberland, in a Monday posting. “The far_options_page function contains the core of the plugin’s functionality for adding new find-and-replace rules. Unfortunately, that function failed to use nonce verification. So the integrity of a request’s source was not verified during rule update, resulting in a CSRF vulnerability.”
Cross-site request forgery attacks (in short, CSRF or XSRF). Used to send malicious requests to a web server from an authenticated user. A successful exploit of the vulnerability, therefore, involves user interaction: According to Wordfence, an attacker will have to trick the administrator of a site into clicking on a malicious connection in a comment or email.
Updating to the latest version 4.0.2 of the plugin will introduce a patch for this problem.
“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function. To ensure the legitimacy of the source of a request,” said Chamberland.
This is not the first time
WordPress plugins tend to make headlines as weak links that can lead to compromised websites. For example, a pair of (one of them critical) security vulnerabilities in the WordPress search engine optimization (SEO) plugin known as Rank Math found in April.
According to researchers, they could allow remote cyber criminals to elevate privileges and install malicious redirects to a target site. RankMath is a WordPress plugin with over 200,000 installations.
In March, a crucial vulnerability found in a WordPress plugin known as “ThemeREX Addons”. Which could open the door in 44,000 websites for remote execution of code.
In February, a famous WordPress plugin Duplicator, which has over 1 million active installs. Also discovered to have an unauthenticated flaw. In the arbitrary download of files that were being targeted.