HomesecurityAn error in a WordPress plugin puts 100.000 sites at risk

An error in a WordPress plugin puts 100.000 sites at risk


A new error one-click, which was discovered in the add-on Real-time Find and Replace, allows hackers enter malicious code into sites and create fake administrator accounts. Website owners WordPress it is recommended that they notify the add-on immediately, so that they remain secure.

The error, which is one Cross-Site Request Forgery (CSRF), can lead to attacks Stored Cross-Site Scripting (Stored XSS). It affects all versions of Real-Time Find and Replace, up to 3.9.

Malicious agents can deceive a legitimate website owner into importing malware JavaScript on his account by simply clicking on a link he will find in a misleading e-mail or comment.

The WordPress Real-Time Find and Replace plugin is especially useful, as it allows a user to temporarily replace a text or code in real time without having to enter the source code of the site and make permanent changes. This add-on is installed on more than 100.000 websites.

Malicious code imports

As reported in exhibition Chloe Chamberland, an analyst at Wordfence, one hacker it can take advantage of the capabilities of the add-on to insert malicious code into a site and change its content.

This JavaScript code will be executed automatically "whenever a user navigates to a web page that contained the original content," according to Chamberland.

For example, invaders could abuse it vulnerability to Replace an HTML Tag Likehead> with their malicious code. This would result in almost all the infected WordPress site pages being turned into malware.

Malicious code could then "be used to enter a new administrator account, steal cookies, or redirect users to a malicious website, allowing intruders to gain administrator access or infect innocent visitors browsing an infringing site." website ”, according to the Chamberland report.

Η vulnerability was discovered and reported on April 22. Wordfence rated this security flaw with CVSS 8,8, which makes it very serious, and it's imperative that users update to version 4.0.2, which completely fixes the bug.

Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement