Better Find and Replace < 1.7.7 – Admin+ Stored XSS | CVE 2025-53466 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

real-time-auto-find-and-replace

Fixed in 1.7.7

References

CVE

URL

https://patchstack.com/database/wordpress/plugin/real-time-auto-find-and-replace/vulnerability/wordpress-better-find-and-replace-plugin-1-7-6-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

2b04847e-4349-4e59-94af-cf57b1637c90

Timeline

Publicly Published

2025-09-22 (about 8 months ago)

Added

2025-09-26 (about 7 months ago)

Last Updated

2025-09-29 (about 7 months ago)

Other

Published

Title

Published

2024-11-08

Title

Stylish Internal Links <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-16

Title

MapSVG < 8.6.11 - Contributor+ Stored XSS

Published

2021-09-21

Title

Allow REL= and HTML in Author Bios <= .1- Author+ Stored Cross-Site Scripting

Published

2021-12-06

Title

Site Reviews < 5.17.3 - Unauthenticated Stored Cross-Site Scripting

Published

2025-01-24

Title

ShMapper by Teplitsa < 1.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting