Better Find and Replace < 1.7.8 – Authenticated (Subscriber+) Limited Code Injection | CVE 2025-9334 | Plugin Vulnerabilities

Description

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.

Affects Plugins

real-time-auto-find-and-replace

Fixed in 1.7.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/232f3a15-3bd3-44fa-aa07-f055e8fcda88

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ISMAILSHADOW

Verified

No

WPVDB ID

90b1a26d-7fa2-4124-b1fb-bb7be15e2cdf

Timeline

Publicly Published

2025-11-07 (about 6 months ago)

Added

2025-11-07 (about 6 months ago)

Last Updated

2025-11-08 (about 6 months ago)

Other

Published

Title

Published

2021-05-14

Title

WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

Published

2024-11-19

Title

WooCommerce Product Table Lite < 3.8.7 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting

Published

2014-08-01

Title

File Gallery 1.7.9 - Settings Page create_function Function Remote Comm& Execution

Published

2022-02-08

Title

PHP Everywhere < 3.0.0 - Contributor+ RCE via Metabox

Published

2018-01-04

Title

buddypress-xprofile-custom-fields-type 2.6.3 - Authenticated Arbitrary File Deletion