WordPress Plugin Vulnerabilities

Real-Time Find and Replace < 4.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Description

This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email.

Proof of Concept

Affects Plugins

Plugin icon
real-time-find-and-replace
Fixed in 4.0.2

References

CVE
CVE-2020-13641
URL
https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-real-time-find-and-replace-plugin/
URL
https://plugins.trac.wordpress.org/changeset/2289725/real-time-find-and-replace

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
92a30d3d-3afe-4a34-828f-ad0c7454c02a

Timeline

Publicly Published
2020-04-27 (about 6 years ago)
Added
2020-04-27 (about 6 years ago)
Last Updated
2020-05-29 (about 5 years ago)

Other

Published
Title
Published
2025-06-13
Title
XiSearch bar <= 2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-04-24
Title
WP Filter Post Category <= 2.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-10-16
Title
Lazy Load for Videos < 2.18.3 - Arbitrary Settings Update via CSRF
Published
2021-01-13
Title
Elementor Contact Form DB < 1.6 - Plugin Settings Cross-Site Request Forgery
Published
2024-06-21
Title
Falang multilanguage < 1.3.52 - Cross-Site Request Forgery