A new error one-click, which was discovered in the add-on Real-time Find and Replace, allows hackers enter malicious code into sites and create fake administrator accounts. Website owners WordPress it is recommended that they notify the add-on immediately, so that they remain secure.
The error, which is one Cross-Site Request Forgery (CSRF), can lead to attacks Stored Cross-Site Scripting (Stored XSS). It affects all versions of Real-Time Find and Replace, up to 3.9.
The WordPress Real-Time Find and Replace plugin is especially useful, as it allows a user to temporarily replace a text or code in real time without having to enter the source code of the site and make permanent changes. This add-on is installed on more than 100.000 websites.
Malicious code imports
For example, invaders could abuse it vulnerability to Replace an HTML Tag Likehead> with their malicious code. This would result in almost all the infected WordPress site pages being turned into malware.
Malicious code could then "be used to enter a new administrator account, steal cookies, or redirect users to a malicious website, allowing intruders to gain administrator access or infect innocent visitors browsing an infringing site." website ”, according to the Chamberland report.
Η vulnerability was discovered and reported on April 22. Wordfence rated this security flaw with CVSS 8,8, which makes it very serious, and it's imperative that users update to version 4.0.2, which completely fixes the bug.