What is the critical vulnerability found in the 'Better Search Replace' WordPress plugin?

A critical vulnerability, identified as CVE-2023-6933 with a CVSS score of 9.8, was found in the 'Better Search Replace' WordPress plugin. It is a PHP Object Injection vulnerability that could allow unauthenticated attackers to execute arbitrary code, delete files, or access sensitive data by exploiting the plugin's handling of deserialization in search and replace operations.

Who developed the 'Better Search Replace' plugin and how was the vulnerability addressed?

The 'Better Search Replace' plugin was originally developed by Delicious Brains and is now managed by WP Engine. The vulnerability was promptly fixed in version 1.4.5, released on January 18, 2024, following a responsible disclosure by Wordfence. WP Engine advises users to update to the latest version of the plugin to ensure their sites' safety.

Advisory

Critical issue in Better Search Replace plugin for WordPress

Q: How does the CVE-2023-6933 vulnerability in the 'Better Search Replace' plugin occur?

The CVE-2023-6933 vulnerability occurs when user-supplied input is unsafely unserialized, potentially allowing attackers to inject malicious PHP objects, especially if another plugin or theme on the site contains a Property Oriented Programming (POP) chain.

published: Jan. 25, 2024

Take action: Another WordPress plugin that requires immediate action. As with most plugins, it's exposed on the internet so you can't do anything else apart from updating. Luckily, patching is easy, so don't delay.

Learn More

A critical vulnerability was found and patched in the "Better Search Replace" WordPress plugin, used by over 1 million websites.

This vulnerability, tracked as CVE-2023-6933 (CVSS score 9.8) is a PHP Object Injection and could potentially allow unauthenticated attackers to execute arbitrary code, delete files, or access sensitive data by exploiting the plugin's handling of deserialization in search and replace operations. The vulnerability arises when user-supplied input is unsafely unserialized, potentially allowing attackers to inject malicious PHP objects if another plugin or theme on the site contains a POP chain.

Originally developed by Delicious Brains and now managed by WP Engine, this popular plugin facilitates database search and replace tasks, especially useful during site migrations.

WP Engine promptly fixed this issue in version 1.4.5, released on January 18, 2024, following Wordfence's responsible disclosure. Plugin users are advised to update to the latest version to safeguard their sites.