A high-severity vulnerability has been discovered in the "Better Find and Replace – AI-Powered Suggestions" plugin for WordPress. This flaw allows an attacker to inject and execute malicious code on a website using the plugin, potentially leading to a full site takeover. Successful exploitation could result in data theft, website defacement, or the distribution of malware to visitors.

The vulnerability is a Limited Code Injection flaw within the plugin's find-and-replace functionality. An attacker can craft a malicious input string for a search or replace operation that is not properly sanitized by the plugin. When the plugin processes this string, the injected code is executed on the server with the permissions of the web server's user, allowing the attacker to perform unauthorized actions such as modifying files, exfiltrating database information, or creating new administrative accounts.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could lead to a complete compromise of the affected WordPress site, posing a significant risk to the organization. Potential consequences include a data breach of sensitive customer or user information, reputational damage from website defacement, and financial loss due to recovery costs and potential regulatory fines. Furthermore, a compromised website can be used as a pivot point to launch further attacks against the organization's internal network or its customers.

Immediate Action:

• Immediately update the "Better Find and Replace – AI-Powered Suggestions" plugin to the latest patched version provided by the vendor.
• If the plugin is not critical to business operations, the recommended course of action is to deactivate and uninstall it to completely remove the attack surface.
• Review WordPress user roles and permissions to ensure the principle of least privilege is enforced.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to the plugin's administrative pages or functions, especially those containing suspicious code snippets or command-like syntax.
• Implement file integrity monitoring (FIM) to detect unauthorized changes to WordPress core files, themes, and plugins.
• Analyze network traffic for connections to unknown or malicious IP addresses originating from the web server, which could indicate data exfiltration or a reverse shell.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block code injection attempts targeting this plugin.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.
• Temporarily disable the plugin until a patch can be safely applied and tested.

Public Exploit Available: False

Immediate patching is strongly recommended for all systems utilizing the "Better Find and Replace" WordPress plugin. The high CVSS score of 8.8 indicates a critical risk of website compromise, which could lead to significant data breaches and operational disruption. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants urgent attention. Organizations should prioritize the remediation actions outlined in this report to mitigate the risk of exploitation.