Vulnerability in WordPress Plugin Left Over 100,000 Pages Unprotected


Due to a vulnerability in Real-Time Find and Replace, one of WordPress’s popular plugins, over 100,000 pages that downloaded this plugin became vulnerable to malicious attacks. It is stated that the deficit in the plugin will disappear with the upcoming version 4.0.2.

It has been discovered that a plugin that downloads and uses more than 100,000 pages on the popular blog and personal publishing site WordPress can cause big problems. The vulnerability in the popular plug-in called Real-Time Find and Replace enables malicious intervention to pages. Malicious codes can be added to the page captured through the method called Cross-Site Request Forgery (CSRF).

According to the results of the research conducted by Wordfence, a new administrator account can be opened, session cookies can be stolen, users can be directed to a malicious site, administrator access can be obtained or visitors who are unaware of anything can be sent to a dangerous site. Cross-site scripting is provided by interfering with JavaScript codes.

What causes the vulnerability?
The Real-Time Find and Replace plugin allows administrators to dynamically replace any HTML content in WordPress with new content, even before a page appears in the user’s browser, without having to constantly change the source content. Thus, when a user uses a site with original content, any displacement code or content is executed.

‘Far_options_page’, which is one of the main functions used for this feature, does not perform one-time key verification, so source validation does not occur whenever the request to find and relocate rules update, which causes CSRF vulnerability. CSRF attacks are cited as malicious requests from an authenticated user to a web application. In this case, user interaction is needed to exploit the vulnerability. To do this, it is sufficient to direct the manager to a malicious link in the e-mail or comments.

It is stated that potential hackers can corrupt the page, especially if they replace the <head> HTML tag with malicious JavaScript code. Since most of the pages have an HTML bookmark in the page header, if the malicious code is added once, the same thing happens on all pages of the affected site.

On the other hand, upgrading the Real-Time Find and Replace plugin to its latest version, 4.0.2, is stated to solve the problem. One-time key verification is recorded in the new version.


Please enter your comment!
Please enter your name here