Vulnerability Description
An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allowing for that be executed later in the victims browser.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Infolific | Real-Time Find And Replace | < 4.0.2 |
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/real-time-find-and-replace/#developersRelease NotesThird Party Advisory
- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-reExploitThird Party Advisory
- https://wordpress.org/plugins/real-time-find-and-replace/#developersRelease NotesThird Party Advisory
- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-reExploitThird Party Advisory
FAQ
What is CVE-2020-13641?
CVE-2020-13641 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on beha...
How severe is CVE-2020-13641?
CVE-2020-13641 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13641?
Check the references section above for vendor advisories and patch information. Affected products include: Infolific Real-Time Find And Replace.