Security News > 2020 > April > Code Injection Vulnerability Found in 'Real-Time Find and Replace' WordPress Plugin
The "Real-Time Find and Replace" WordPress plugin was updated recently to address a high severity vulnerability that could be exploited to inject code into a website.
Designed to allow WordPress site admins to dynamically replace HTML content from themes and other plugins with content of their choosing before the page is served to users, the plugin is available as open source and has over 100,000 installations.
The core of the plugin's functionality for adding find and replace rules resides in the function far options page, which did not verify the integrity of a request's source, because it did not use nonce verification, WordPress security company Defiant discovered.
"Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content," Defiant says.
Version 4.0.2 or newer of the Real-Time Find and Replace plugin includes a patch for the bug, and users are advised to update the plugin as soon as possible to ensure their WordPress websites are protected.