A new one-click error, discovered in the Real-Time Find and Replace plugin, allows hackers to enter malicious code into sites and create fake administrator accounts. WordPress website owners are advised to update the plugin immediately to stay safe.
The error, which is a Cross-Site Request Forgery (CSRF), can lead to Stored Cross-Site Scripting (Stored XSS) attacks. It affects all versions of Real-Time Find and Replaces, up to 3.9.
The WordPress Real-Time Find and Replace plugin is especially useful, as it allows a user to temporarily replace a text or code in real-time without having to enter the source code of the site and make permanent changes. This add-on is installed on more than 100,000 sites.
Malicious code imports
As the report of the Chloe Chamberland, an analyst at Wordfence, a hacker can exploit the possibilities afforded by the additive, to insert malicious code into a site and change its content.
For example, intruders could abuse vulnerability to replace an HTML tag like < head > with their malicious code. This will result in almost all pages on the WordPress site being infected being turned into malicious tools.
Malicious code could then be “used to enter a new administrator account, steal cookies or redirect users to a malicious site, allowing intruders to gain administrator access or infect innocent visitors browsing a breach. website ”, according to the Chamberland report.
The vulnerability was discovered and reported on 22 April. Wordfence rated this security flaw with CVSS 8.8, which makes it very serious, and it’s imperative that users update to version 4.0.2, which completely fixes the bug.