Researchers at Wordfence have discovered a severe vulnerability in a popular WordPress plugin. As stated in a recent blog post the Real-Time Find and Replace plugin, which is installed on at least 100,000 WordPress sites, is affected by a cross-site-scripting flaw. The WordPress plugin specifically is used to, according to the company’s own description, “dynamically… replace code and text from themes and other plugins with code and text of your choosing before a page is delivered to a user’s browser.” The vulnerability can be leveraged, as one can surmise, to inject arbitrary malicious code by a threat actor. This is not the first time a vulnerability in a WordPress plugin has caused trouble.
Wordfence, which offers free and paid endpoint firewall protection and malware scanners to protect WordPress users, describes the actual process of exploiting the vulnerability as follows:
The far_options_page function contains the core of the plugin’s functionality for adding new find and replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request’s source was not verified during rule update, resulting in a Cross-Site Request Forgery vulnerability… Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content.
As this XSS vulnerability registers as an 8.8 on the Common Vulnerability Scoring System (CVSS) scale, Wordfence made sure to inform developers as soon as possible. The result of this quick action was a patch that is now available in the newest Real-Time Find and Replace 4.0.2 update. Wordfence researchers urge site admins to install the update as soon as possible, especially if they are not on the Wordfence Premium plan. Wordfence Premium does have some XSS protections via firewall, however, leaving any vulnerability that is publicly known to be exploitable is foolish.
Updating a website takes no time, so get to patching.
Featured image: Shutterstock