This buggy WordPress plugin allows hackers to lace websites with malicious code
Attackers can also abuse the flaw to create administrator accounts
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers have identified a flaw in the Real-Time Find and ReplaceWordPress pluginthat could allow hackers to lace websites with malicious code.
The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend - and reportedly features on over 100,000 sites.
Uncovered by threat analysts at Wordfence, the exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.
The bug reportedly affects all iterations of the plugin up to version 3.9.
WordPress plugin vulnerability
According to the Wordfence report - which classifies the vulnerability as severe - an assailant can deceive the legitimate administrator into introducing malicious JavaScript to their website by planting a rigged link in a comment or email.
The code would then be triggered automatically “anytime a user navigated to a page that contained the original content,” explained Wordfence.
The automatic nature of the trigger is especially problematic, increasing the potential scope by magnitudes over an attack-type that requires the victim to interact with an illegitimate download, for instance.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“[The infected JavaScript could] be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site,” added Wordfence.
The developer was alerted to the flaw on April 22 and responded with an almost immediate patch, issued a few hours after the disclosure. However, despite the developer’s swift action, only 27,000 users have since updated to version 4.0.2, meaning roughly three quarters of users remain vulnerable.
To avoid falling victim to an attack, WordPress users are advised to update the affected plugin immediately.
ViaBleeping Computer
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
How to turn off Meta AI
