A new error one-click, which was discovered in the add-on Real-time Find and Replace, allows hackers enter malicious code into sites and create fake administrator accounts. Website owners WordPress it is recommended that they notify the add-on immediately, so that they remain secure.
The error, which is one Cross-Site Request Forgery (CSRF), can lead to attacks Stored Cross-Site Scripting (Stored XSS). It affects all versions of Real-Time Find and Replace, up to 3.9.
The WordPress Real-Time Find and Replace plugin is especially useful, as it allows a user to temporarily replace a text or code in real time without having to enter the source code of the site and make permanent changes. This add-on is installed on more than 100.000 websites.
Malicious code imports
For example, invaders could abuse it vulnerability to replace an HTML tag like <head> with their malicious code. As a result, almost all pages on the WordPress site that have been infected become malicious.
Malicious code could then be “used to enter a new administrator account, steal cookies or redirect users to a malicious site, allowing intruders to gain access to an administrator or infect innocent visitors browsing a breach. website ”, according to the Chamberland report.
Η vulnerability was discovered and reported on April 22. Wordfence rated this security flaw with CVSS 8,8, which makes it very serious, and it's imperative that users update to version 4.0.2, which completely fixes the bug.