Vulnerability in Real-Time Find and Replace Plugin for WordPress
CVE-2020-13641

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Real-time Find And Replace
Vendor: CVE Published:; 28 May 2020

Summary

A vulnerability was discovered in the Real-Time Find and Replace plugin for WordPress, affecting versions prior to 4.0.2. The issue lies in the far_options_page function, which fails to implement proper nonce verification. This oversight allows attackers to forge requests on behalf of an administrator. As a result, malicious JavaScript can be injected into find and replace rules, posing a risk as this code may execute in the browser of an unsuspecting victim. Users of this plugin should ensure they are updated to the latest version to mitigate this vulnerability.

References

https://www.wordfence.com/blog/2020/04/high-severity-vuln...

x_refsource_MISC

https://wordpress.org/plugins/real-time-find-and-replace/...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 28, 2020
Vulnerability Reserved
May 27, 2020