Pierluigi Paganini
April 28, 2020
A vulnerability in the Real-Time Find and Replace WordPress plugin could be exploited by attackers to create rogue admin accounts.
The Real-Time Find and Replace WordPress plugin is currently installed on over 100,000 sites, it allows users to dynamically (i.e. at the time when a page is generated) replace code and text from themes and other plugins with code and text of their choice before a page is delivered to a user’s browser.
The find and replace happens in real-time, this means that it could be done without changing plugins and themes, making upgrades easy.
The vulnerability was discovered by Wordfence researchers, it is a Cross-Site Request Forgery flaw that could lead to Stored Cross-Site Scripting (Stored XSS) attacks.
Attackers can trigger the issue to trick WordPress admins into injecting malicious JavaScript into the pages of their websites by clicking a malicious link within a comment or email.
“On April 22, 2020, our Threat Intelligence team discovered a vulnerability in Real-Time Find and Replace, a WordPress plugin installed on over 100,000 sites. This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email.” reads the analysis published by WordFence.
WordFence reported the issue to the plugin development team on April 22, 2020, and they released a patch just a few hours.
Wordfence rated the vulnerability as a high severity issue and assigned it a CVSS score of 8.8.
The flaw impacts all Real-Time Find and Replace versions up to 3.9, the developer addressed the issue with the release of the version 4.0.2.
The vulnerability could allow attackers to take over the targeted WordPress site, the malicious code would then execute anytime a user navigated to a page that contained the original content.
“An attacker could use this vulnerability to replace a HTML tag like with malicious Javascript. This would cause the malicious code to execute on nearly every page of the affected site, as nearly all pages start with a HTML tag for the page header, creating a significant impact if successfully exploited.” continues the report. “The malicious code could be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site, allowing attackers the ability to obtain administrative access or to infect innocent visitors browsing a compromised site.”
Experts explained that to replace content before the website data is sent to the users’ browser, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to activate_plugins.
The far_options_page function includes the code for adding new find and replace rules, but experts noticed that it failed to use nonce verification, this means that it was not able to check the integrity of a request’s source during rule update. This means that an attacker could launch a Cross-Site Request Forgery attack.
Users should immediately update to version 4.0.2, at the time, less than 30K users gave updated their Real-Time Find and Replace installations to 4.0.2.
Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.
A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:
I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – WordPress, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
APT / November 18, 2024
