Quote:A high-severity cross-site request forgery (CSRF) vulnerability in Real-Time Find and Replace, a WordPress plugin installed on more than 100,000 sites, could lead to cross-site scripting and the injection of malicious JavaScript anywhere on a victim site.
 
According to research from Wordfence released on Monday, the malicious code injection could be used to create a new administrative user account, steal session cookies, redirect users to a malicious site, obtain administrative access or to infect innocent visitors browsing a compromised site with a drive-by malware attack.
 
Real-Time Find and Replace allows administrators to dynamically replace any HTML content on WordPress sites with new content without permanently changing the source content, right before a page is delivered to a user’s browser. Any replacement code or content executes anytime a user navigates to a page that contains the original content.
 
“To provide this functionality, the plugin registers a sub-menu page tied to the function far_options_page with a capability requirement to ‘activate_plugins,'” explained Wordfence researcher Chloe Chamberland, in a Monday posting. “The far_options_page function contains the core of the plugin’s functionality for adding new find-and-replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request’s source was not verified during rule update, resulting in a CSRF vulnerability.”