Researchers at Wordfence have discovered a severe vulnerability in a popular WordPress plugin. As stated in a recent blog post the Real-Time Find and Replace plugin, which is installed on at least 100,000 WordPress sites, is affected by a cross-site-scripting flaw. The WordPress plugin specifically is used to, according to the company’s own description, “dynamically… replace code and text from themes and other plugins with code and text of your choosing before a page is delivered to a user’s browser.” The vulnerability can be leveraged, as one can surmise, to inject arbitrary malicious code by a threat actor. This is not the first time a vulnerability in a WordPress plugin has caused trouble.

Wordfence, which offers free and paid endpoint firewall protection and malware scanners to protect WordPress users, describes the actual process of exploiting the vulnerability as follows:

The far_options_page function contains the core of the plugin’s functionality for adding new find and replace rules. Unfortunately, that function failed to use nonce verification, so the integrity of a request’s source was not verified during rule update, resulting in a Cross-Site Request Forgery vulnerability… Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content.

As this XSS vulnerability registers as an 8.8 on the Common Vulnerability Scoring System (CVSS) scale, Wordfence made sure to inform developers as soon as possible. The result of this quick action was a patch that is now available in the newest Real-Time Find and Replace 4.0.2 update. Wordfence researchers urge site admins to install the update as soon as possible, especially if they are not on the Wordfence Premium plan. Wordfence Premium does have some XSS protections via firewall, however, leaving any vulnerability that is publicly known to be exploitable is foolish.

googletag.cmd.push(function() { googletag.defineSlot(‘/40773523/WS-Sponsored-Text-Link’, [848, 75],’div-gpt-featured-links-1′).addService(googletag.pubads()).setCollapseEmptyDiv(true); googletag.defineSlot(‘/40773523/WS-Sponsored-Text-Link’, [848, 75],’div-gpt-featured-links-2′).addService(googletag.pubads()).setCollapseEmptyDiv(true); googletag.defineSlot(‘/40773523/WS-Sponsored-Text-Link’, [848, 75],’div-gpt-featured-links-3′).addService(googletag.pubads()).setCollapseEmptyDiv(true); googletag.defineSlot(‘/40773523/WS-Sponsored-Text-Link’, [848, 75],’div-gpt-featured-links-4′).addService(googletag.pubads()).setCollapseEmptyDiv(true); googletag.defineSlot(‘/40773523/WS-Sponsored-Text-Link’, [848, 75],’div-gpt-featured-links-5′).addService(googletag.pubads()).setCollapseEmptyDiv(true); googletag.pubads().enableSingleRequest();

});

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Learn about the latest security threats, system optimization tricks, and the hottest new technologies in the industry.
Over 1,000,000 fellow IT Pros are already on-board, don’t be left out!

TechGenix reaches millions of IT Professionals every month, and has set the standard for providing free technical content through its growing family of websites, empowering them with the answers and tools that are needed to set up, configure, maintain and enhance their networks.

Source: http://techgenix.com/critical-vulnerability-wordpress-plugin/

World news – GB – Critical vulnerability found in WordPress plugin; patch available

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here