Security Experts:

Connect with us

Hi, what are you looking for?



Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin

The “Real-Time Find and Replace” WordPress plugin was updated recently to address a high severity vulnerability that could be exploited to inject code into a website.

The “Real-Time Find and Replace” WordPress plugin was updated recently to address a high severity vulnerability that could be exploited to inject code into a website.

Designed to allow WordPress site admins to dynamically replace HTML content from themes and other plugins with content of their choosing before the page is served to users, the plugin is available as open source and has over 100,000 installations.

The recently identified vulnerability, a Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS), could have allowed an attacker to inject malicious JavaScript code on a target site, but only by tricking the administrator into performing specific actions, such as clicking a link.

The core of the plugin’s functionality for adding find and replace rules resides in the function far_options_page, which did not verify the integrity of a request’s source, because it did not use nonce verification, WordPress security company Defiant discovered.

“Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content,” Defiant says.

By replacing an HTML tag like <head> with malicious JavaScript, an attacker would ensure their code executes on nearly every page of the targeted site. Leveraging the injected code, the attacker could create a new administrative account, steal session cookies, or direct users to a malicious site.

Defiant reported the vulnerability to the plugin’s developer on April 22 and the security flaw was addressed the same day.

“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” Defiant explains.

Version 4.0.2 or newer of the Real-Time Find and Replace plugin includes a patch for the bug, and users are advised to update the plugin as soon as possible to ensure their WordPress websites are protected.

Related: Unpatched Flaw in Discontinued Plugin Exposes WordPress Sites to Attacks

Related: Critical Flaw in SEO Plugin Exposed Many WordPress Sites to Attacks

Related: WPvivid Backup Plugin Flaw Leads to WordPress Database Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.