According to research from Wordfence released on Monday, the malicious code injection could be used to create a new administrative user account, steal session cookies, redirect users to a malicious site, obtain administrative access or to infect innocent visitors browsing a compromised site with a drive-by malware attack.
Real-Time Find and Replace allows administrators to dynamically replace any HTML content on WordPress sites with new content without permanently changing the source content, right before a page is delivered to a user’s browser. Any replacement code or content executes anytime a user navigates to a page that contains the original content.
“To provide this functionality, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to ‘activate_plugins,'” explained Wordfence researcher Chloe Chamberland, in a Monday posting. “The far_options_page function contains the core of the plugin’s functionality for adding new find-and-replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request’s source was not verified during rule update, resulting in a CSRF vulnerability.”
Cross-site request forgery attacks (CSRF or XSRF for short) are used to send malicious requests from an authenticated user to a web application. Thus, a successful exploit of the bug does require user interaction: An attacker would need to trick a site’s administrator into clicking on a malicious link in a comment or email, according to Wordfence.
Updating to the latest version of the plugin, version 4.0.2, will implement a fix for the issue.
“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” said Chamberland.
WordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in April a pair of security vulnerabilities (one of them critical) in the WordPress search engine optimization (SEO) plugin known as Rank Math, were found. They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath a WordPress plugin with more than 200,000 installations.
In March, a critical vulnerability in a WordPress plugin known as “ThemeREX Addons” was found that could open the door for remote code execution in 44,000 websites.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.