This buggy WordPress plugin allows hackers to lace websites with malicious code

(Image credit: Shutterstock / Magura)

Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.

The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend - and reportedly features on over 100,000 sites.

Uncovered by threat analysts at Wordfence, the exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.

The bug reportedly affects all iterations of the plugin up to version 3.9.

WordPress plugin vulnerability

According to the Wordfence report - which classifies the vulnerability as severe - an assailant can deceive the legitimate administrator into introducing malicious JavaScript to their website by planting a rigged link in a comment or email.

The code would then be triggered automatically “anytime a user navigated to a page that contained the original content,” explained Wordfence. 

The automatic nature of the trigger is especially problematic, increasing the potential scope by magnitudes over an attack-type that requires the victim to interact with an illegitimate download, for instance.

“[The infected JavaScript could] be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site,” added Wordfence.

The developer was alerted to the flaw on April 22 and responded with an almost immediate patch, issued a few hours after the disclosure. However, despite the developer’s swift action, only 27,000 users have since updated to version 4.0.2, meaning roughly three quarters of users remain vulnerable.

To avoid falling victim to an attack, WordPress users are advised to update the affected plugin immediately.

Via Bleeping Computer

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.