WordPress Plugin Bug Opens 100K Websites to Compromise

wordpress search replace plug in bug

Legions of website visitors could be infected with drive-by malware, among other issues, thanks to a CSRF bug in Real-Time Search and Replace.

A high-severity cross-site request forgery (CSRF) vulnerability in Real-Time Find and Replace, a WordPress plugin installed on more than 100,000 sites, could lead to cross-site scripting and the injection of malicious JavaScript anywhere on a victim site.

According to research from Wordfence released on Monday, the malicious code injection could be used to create a new administrative user account, steal session cookies, redirect users to a malicious site, obtain administrative access or to infect innocent visitors browsing a compromised site with a drive-by malware attack.

Real-Time Find and Replace allows administrators to dynamically replace any HTML content on WordPress sites with new content without permanently changing the source content, right before a page is delivered to a user’s browser. Any replacement code or content executes anytime a user navigates to a page that contains the original content.

“To provide this functionality, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to ‘activate_plugins,'” explained Wordfence researcher Chloe Chamberland, in a Monday posting. “The far_options_page function contains the core of the plugin’s functionality for adding new find-and-replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request’s source was not verified during rule update, resulting in a CSRF vulnerability.”

Cross-site request forgery attacks (CSRF or XSRF for short) are used to send malicious requests from an authenticated user to a web application. Thus, a successful exploit of the bug does require user interaction: An attacker would need to trick a site’s administrator into clicking on a malicious link in a comment or email, according to Wordfence.

Attackers could particularly wreak havoc if they used the bug to replace the <head> HTML tag with malicious JavaScript, she added. Because most pages contain a <head> HTML tag for the page header, once replacement would cause the malicious code to execute on every page of the affected site.

Updating to the latest version of the plugin, version 4.0.2, will implement a fix for the issue.

“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” said Chamberland.

WordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in April a pair of security vulnerabilities (one of them critical) in the WordPress search engine optimization (SEO) plugin known as Rank Math, were found. They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath a WordPress plugin with more than 200,000 installations.

In March, a critical vulnerability in a WordPress plugin known as “ThemeREX Addons” was found that could open the door for remote code execution in 44,000 websites.

Also in March, two vulnerabilities – including a high-severity flaw – were patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup – potentially opening up more than 100,000 websites to takeover.

In February, popular WordPress plugin Duplicator, which has more than 1 million active installations, was discovered to have an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) was disclosed. The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.


Suggested articles