WordPress Plugin Vulnerabilities

Find and Replace All <= 1.3 - Arbitrary Replacement via CSRF

Description

The plugin does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
find-and-replace-all
No known fix

References

CVE
CVE-2022-3850

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Vinay Varma Mudunuri, Krishna Harsha Kondaveeti
Submitter
Vinay Varma Mudunuri
Verified
Yes
WPVDB ID
8ae42ec0-7e3a-4ea5-8e76-0aae7b92a8e9

Timeline

Publicly Published
2022-11-03 (about 3 years ago)
Added
2022-11-03 (about 3 years ago)
Last Updated
2022-11-03 (about 3 years ago)

Other

Published
Title
Published
2025-11-03
Title
Visit Counter 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-04-11
Title
Siteimprove < 2.0.7 - Cross-Site Request Forgery
Published
2020-02-24
Title
Ultimate Membership Pro < 8.7 - Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation
Published
2025-01-07
Title
Quote Tweet <= 0.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-06-05
Title
POEditor < 0.9.11 - Cross-Site Request Forgery