100k+ WordPress sites exposed to hack due to a bug in Real-Time Find and Replace plugin

Pierluigi Paganini April 28, 2020

A bug in the Real-Time Find and Replace WordPress plugin could allow hackers to hackers to create rogue admin accounts on over 100,000 sites.

A vulnerability in the Real-Time Find and Replace WordPress plugin could be exploited by attackers to create rogue admin accounts.

The Real-Time Find and Replace WordPress plugin is currently installed on over 100,000 sites, it allows users to dynamically (i.e. at the time when a page is generated) replace code and text from themes and other plugins with code and text of their choice before a page is delivered to a user’s browser.

The find and replace happens in real-time, this means that it could be done without changing plugins and themes, making upgrades easy.

The vulnerability was discovered by Wordfence researchers, it is a Cross-Site Request Forgery flaw that could lead to Stored Cross-Site Scripting (Stored XSS) attacks.

Attackers can trigger the issue to trick WordPress admins into injecting malicious JavaScript into the pages of their websites by clicking a malicious link within a comment or email.

“On April 22, 2020, our Threat Intelligence team discovered a vulnerability in Real-Time Find and Replace, a WordPress plugin installed on over 100,000 sites. This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email.” reads the analysis published by WordFence.

WordFence reported the issue to the plugin development team on April 22, 2020, and they released a patch just a few hours.

Wordfence rated the vulnerability as a high severity issue and assigned it a CVSS score of 8.8.

The flaw impacts all Real-Time Find and Replace versions up to 3.9, the developer addressed the issue with the release of the version 4.0.2.

The vulnerability could allow attackers to take over the targeted WordPress site, the malicious code would then execute anytime a user navigated to a page that contained the original content.

“An attacker could use this vulnerability to replace a HTML tag like with malicious Javascript. This would cause the malicious code to execute on nearly every page of the affected site, as nearly all pages start with a HTML tag for the page header, creating a significant impact if successfully exploited.” continues the report. “The malicious code could be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site, allowing attackers the ability to obtain administrative access or to infect innocent visitors browsing a compromised site.”

Real-Time Find and Replace

Experts explained that to replace content before the website data is sent to the users’ browser, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to activate_plugins.

The far_options_page function includes the code for adding new find and replace rules, but experts noticed that it failed to use nonce verification, this means that it was not able to check the integrity of a request’s source during rule update. This means that an attacker could launch a Cross-Site Request Forgery attack.

Users should immediately update to version 4.0.2, at the time, less than 30K users gave updated their Real-Time Find and Replace installations to 4.0.2.

Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.

A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:

  • Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
  • Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
  • Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
  • Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
  • Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.
  • March 2020 – The WordPress plugin ‘ThemeREX Addons’ is affected by a critical vulnerability that could allow remote attackers to execute arbitrary code.
  • March 2020 – Flaws in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups of 100K+ websites.
  • March 2020 – A critical flaw in Rank Math WordPress plugin allows hackers to give users Admins privileges

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment