A new one-click error, discovered in the Real-Time Find and Replace plugin, allows hackers to enter malicious code into sites and create fake administrator accounts. WordPress website owners are advised to update the plugin immediately to stay safe.

The error, which is a Cross-Site Request Forgery (CSRF), can lead to Stored Cross-Site Scripting (Stored XSS) attacks. It affects all versions of Real-Time Find and Replaces, up to 3.9.

Malicious agents can trick a legitimate website owner into entering a malicious JavaScript into their account by simply clicking on a link they will find in a misleading email or comment.

Also Read: The TikTok vulnerability allows hackers to replace the viral video

The WordPress Real-Time Find and Replace plugin is especially useful, as it allows a user to temporarily replace a text or code in real-time without having to enter the source code of the site and make permanent changes. This add-on is installed on more than 100,000 sites.

Malicious code imports

As the report of the Chloe Chamberland, an analyst at Wordfence, a hacker can exploit the possibilities afforded by the additive, to insert malicious code into a site and change its content.

This JavaScript code will be executed automatically “whenever a user navigates to a website that contained the original content”, according to Chamberland.


For example, intruders could abuse vulnerability to replace an HTML tag like < head > with their malicious code. This will result in almost all pages on the WordPress site being infected being turned into malicious tools.

Malicious code could then be ‚Äúused to enter a new administrator account, steal cookies or redirect users to a malicious site, allowing intruders to gain administrator access or infect innocent visitors browsing a breach. website ‚ÄĚ, according to the Chamberland report.

Also Read: 405 security vulnerabilities are being fixed by Oracle

The¬†vulnerability¬†was discovered and reported on 22 April.¬†Wordfence rated this security flaw with CVSS 8.8, which makes it very serious, and it’s imperative that users update to version 4.0.2, which completely fixes the bug.

Leave a Reply