This buggy WordPress plugin allows hackers to lace websites with malicious code

Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code. The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend – and reportedly features on over 100,000 sites. Uncovered by threat analysts at Wordfence, the exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts. The bug reportedly affects all iterations of the plugin up to version 3.9. WordPress plugin vulnerability According to the Wordfence report – which classifies the vulnerability as severe – an assailant can deceive the legitimate administrator into introducing malicious JavaScript to their website by planting a rigged link in a comment or email. The code would then be […]

Click here to view original web page at This buggy WordPress plugin allows hackers to lace websites with malicious code