WordPress Plugin Vulnerabilities

Better Find and Replace < 1.7.8 - Missing Authorization

Description

The plugin is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.

Affects Plugins

Plugin icon
real-time-auto-find-and-replace
Fixed in 1.7.8

References

CVE
CVE-2025-12360
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Adrian Lukita
Verified
No
WPVDB ID
ad395278-c173-415a-a5c1-b13eab3f3b7f

Timeline

Publicly Published
2025-11-05 (about 6 months ago)
Added
2025-11-06 (about 6 months ago)
Last Updated
2025-11-06 (about 6 months ago)

Other

Published
Title
Published
2025-03-13
Title
JobCareer | Job Board Responsive WordPress Theme <= 7.1 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrative Actions
Published
2024-12-14
Title
WooCommerce Basic Ordernumbers <= 1.4.4 - Missing Authorization
Published
2025-02-11
Title
Popup Plugin For WordPress - ConvertPlus < 3.5.31 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Published
2023-03-10
Title
RapidLoad Power-Up for Autoptimize < 1.7.2 - Unauthorised AJAX Calls
Published
2026-01-25
Title
Automatic Featured Images from Videos < 1.2.8 - Missing Authorization