A high-severity vulnerability has been identified in the "Find And Replace content for WordPress" plugin. This flaw allows low-privileged authenticated users to inject malicious code and arbitrarily replace content on the website, potentially leading to website defacement, redirection of visitors to malicious sites, or theft of sensitive user and administrator data. Immediate patching is required to mitigate the risk of compromise.

The vulnerability exists within the far_admin_ajax_fun() function, which is accessible via WordPress's AJAX API. This function fails to perform a capability check, which is a security mechanism to ensure that the user making the request has the appropriate permissions (e.g., administrator) to perform sensitive actions. Because this check is missing, any authenticated user, including those with low-level permissions like a subscriber, can invoke this function to find and replace any content across the website. An attacker can leverage this to either replace legitimate content with misinformation or inject a persistent Cross-Site Scripting (XSS) payload, which will execute in the browsers of all visitors, including administrators.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant negative impact on the business. The ability to arbitrarily replace content can lead to website defacement, causing severe reputational damage and loss of customer trust. The Stored XSS component allows an attacker to steal session cookies from authenticated users, potentially leading to account takeover, including the hijacking of administrator accounts. This could result in a full site compromise, data breaches, or the use of the website to host phishing campaigns or distribute malware to visitors.

Immediate Action: Immediately update the "Find And Replace content for WordPress" plugin to the latest patched version (greater than version 1). If a patch is not yet available or the plugin is not critical, disable and delete it. As a best practice, review all installed plugins and themes, removing any that are no longer needed to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for an unusual number of POST requests to /wp-admin/admin-ajax.php with the action parameter set to far_admin_ajax_fun, especially from non-administrative users. Implement a file integrity monitoring system to alert on unexpected changes to website content and files. Use a Web Application Firewall (WAF) to inspect traffic for common XSS payloads and block malicious requests.

Compensating Controls: If patching cannot be performed immediately, disable the plugin as the primary compensating control. If the plugin must remain active, implement a stringent Web Application Firewall (WAF) rule to block requests to the vulnerable AJAX action from unauthorized users. Additionally, enforce the principle of least privilege by regularly reviewing user roles and disabling public user registration if not required for business operations.

Public Exploit Available: true

Given the high severity (CVSS 7.2) and the public availability of exploit code, immediate action is strongly recommended. Organizations must prioritize patching this vulnerability on all public-facing WordPress instances to prevent potential website compromise and reputational damage. Although not currently on the CISA KEV list, its simplicity makes it an attractive target for opportunistic attackers. A full audit of all installed plugins should be conducted to identify and remediate other potentially vulnerable components.