Better Search Replace Plugin Vulnerable to PHP Object Injection
CVE-2023-6933

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Better Search Replace
Vendor
CVE Published:
5 February 2024

Badges

📰 News Worthy

Summary

The Better Search Replace plugin for WordPress has a vulnerability that allows PHP Object Injection due to the deserialization of untrusted input in all versions prior to 1.4.4. This flaw can be exploited by unauthenticated attackers to inject a malicious PHP object. Although there is no inherent Property-Oriented Programming (POP) chain within the plugin itself, if a compatible POP chain is available through additional plugins or themes on the target site, the attacker may gain the ability to delete arbitrary files, access sensitive information, or execute unauthorized code. Appropriate measures should be taken to secure systems using this plugin.

Affected Version(s)

Better Search Replace * <= 1.4.4

News Articles

favicon imageAttackerKB

CVE-2023-6933 | AttackerKB

RESERVED This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been…

1 year ago

favicon imagePenetration Testing

Over a Million Sites at Risk: Hackers are Exploiting CVE-2023-6933 Flaw in WordPress Plugin

Dubbed CVE-2023-6933, this security flaw has been classified with a critical severity rating of 9.8 out of 10

1 year ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/better-search-...
https://plugins.trac.wordpress.org/changeset/3023674/bett...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 📰

    First article discovered by Penetration Testing

  • Vulnerability Reserved

Credit

Sam Pizzey
.