Real-Time Find and Replace Plugin
The WordPress Real-Time Find and Replace plugin is currently installed on over 100,000 WordPress websites. The plugin allows users to temporarily replace text and code of their website’s content, themes and other plugins in real-time. The find and replace happens dynamically without the user having to permanently change their site’s source code, themes or content. Consequently, this simplifies making upgrades to plugins and themes. The text or code is replaced by the plugin at the time when the page is generated, just before it is delivered to the browser. Therefore, any replaced code or content executes whenever users navigate to a page that contains the original code or content.
The WordPress Plugin’s Flaw
The CSRF vulnerability in the WordPress Real-Time Find and Replace plugin was discovered by Wordfence’s threat intelligence team. The vulnerability allows hackers to use cross-site scripting to inject malicious code on WordPress websites. Furthermore, the flaw could allow hackers to create rogue administrator accounts.
Consequences of the Vulnerability
CSRF attacks are used to send malicious requests from an authenticated user to a web application. As a result, to successfully exploit this flaw in the plugin user interaction is required. As explained in the report published by Wordfence a couple of days ago “This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email.” The report also explains that malicious code injections can be used by hackers to give themselves administrator access to the infected website, steal session cookies, redirect users to malicious sites or infect visitors to the site with malware. For instance, attackers can use the vulnerability to have the plugin replace HTML tags with malicious Javascript. As a HTML tag is used almost on every webpage as the page header, this would cause the malicious code to execute on virtually every page of the affected website. Consequently, such an attack would create a significant impact if the vulnerability is successfully exploited.
Cause of Plugin Vulnerability
The cause of the vulnerability was a missing nonce verification in the “far_options_page” function of the plugin. This function contains the core of the plugin’s functionality for adding new find and replace rules. As a nonce verification was missing “the integrity of a request’s source was not verified during rule update, resulting in a Cross-Site Request Forgery vulnerability,” Chloe Chamberland, a researcher at Wordfence explained.
How to Fix the Flaw
The vulnerability impacts all Real-Time Find and Replace plugin versions up to version 3.9. The plugin’s developers addressed the flaw by releasing a full patch for the plugin within a few hours of the initial disclosure report. The patch for the vulnerability is provided in version 4.0.2 of the plugin. In this latest version “… a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” said Chamberland. Therefore, to fix the WordPress plugin’s vulnerability, users of the plugin are advised to update their plugin to version 4.0.2 immediately.