CVE-2025-9334

Sažetak

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.

Reference

https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L29
https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/admin/functions/DbReplacer.php#L507
https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/lib/Util.php#L233
https://plugins.trac.wordpress.org/changeset/3389979/
https://www.wordfence.com/threat-intel/vulnerabilities/id/232f3a15-3bd3-44fa-aa07-f055e8fcda88?source=cve

CVSS

Base:	8.8
Impact:	5.9
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

08-11-2025 - 06:15

Objavljeno

08-11-2025 - 06:15