So as to address a high severity vulnerability, the “Real-Time Find and Replace” WordPress plugin was updated as of late in order to forestall the exploitation to infuse code into sites.
The plugin, accessible as open source and has over 100,000 installations is intended to permit WordPress site admins to dynamically supplant HTML content from themes and different plugins with the content on their personal preference before the page is served to users.
The core of the plugin’s ‘functionality’ for including the find and replace rules in the function far_options_page, which didn’t confirm the integrity of a request’s source, since it didn’t utilize nonce verification, WordPress Security Company Defiant had discovered.
ensure that their code executes on about each page of the targeted site.
Utilizing the infused code, the attacker could make another administrative
account; steal session cookies, or direct clients to a malevolent site.
on April 22 and the security flaw was tended to the same day.
tricking a site owner into executing an unwanted action could replace any
content or HTML on a vulnerable site with new content or malicious code. This
replacement code or content would then execute anytime a user navigated to a page
that contained the original content. ”
“In the most up to date version, a nonce has been added
along with a check_admin_referer nonce verification function to ensure the
legitimacy of the source of a request,” Defiant explained further.
plugin includes a patch for the bug, and users are advised to update the plugin
as soon as possible to ensure their WordPress websites are protected.