QID 731121

Date Published: 2024-01-26

QID 731121: WordPress Better Search Replace Unauthenticated PHP Object Injection Vulnerability

The Better Search Replace plugin for WordPress allows you to run a search/replace on the database for everything to work correctly when moving to a new host.

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input. This could allow an unauthenticated, remote attackers to execute arbitrary code by injecting malicious PHP Objects.

Affected Versions:
Better Search Replace WordPress plugin versions less than 1.4.5

QID Detection Logic:

Successful exploitation allows an unauthenticated, remote attacker to instantiate malicious objects and execute malicious code stored in the database.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as High - 6.8 severity.

Solution

Customers are advised to upgrade to Better Search Replace 1.4.5 and later versions to remediate this vulnerability.

Vendor References

Better Search Replace 1.4.5 - wordpress.org/plugins/better-search-replace/#developers

CVEs related to QID 731121

CVE-2023-6933 |

Software Advisories

Advisory ID	Software	Component	Link
Better Search Replace 1.4.5 or later			wordpress.org/plugins/better-search-replace/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].