The “Real-Time Find and Replace” WordPress plugin was updated recently to address a high severity vulnerability that could be exploited to inject code into a website.
Designed to allow WordPress site admins to dynamically replace HTML content from themes and other plugins with content of their choosing before the page is served to users, the plugin is available as open source and has over 100,000 installations.
The core of the plugin’s functionality for adding find and replace rules resides in the function far_options_page, which did not verify the integrity of a request’s source, because it did not use nonce verification, WordPress security company Defiant discovered.
“Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content,” Defiant says.
Defiant reported the vulnerability to the plugin’s developer on April 22 and the security flaw was addressed the same day.
“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” Defiant explains.
Version 4.0.2 or newer of the Real-Time Find and Replace plugin includes a patch for the bug, and users are advised to update the plugin as soon as possible to ensure their WordPress websites are protected.