cbcvebase.
CVE-2023-6933
published 2024-02-05

CVE-2023-6933: The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
68.05%
99.2th percentile
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affected

2 ranges
VendorProductVersion rangeFixed in
wpenginebetter_search_replace< 1.4.51.4.5
wpenginebetter_search_replace<= 1.4.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/better-search-replace/README.txt
path/wp-content/plugins/better-search-replace/readme.txt
yara
body contains 'Better Search' AND status_code == 200 AND version < 1.4.5
  • Probe for the presence of the vulnerable plugin by requesting its README.txt file and checking for 'Better Search' in the body with a version string below 1.4.5 (extracted via regex 'Stable tag: ([0-9.]+)').
  • FOFA fingerprint query for exposed instances of the vulnerable plugin: body="/wp-content/plugins/better-search-replace/"
  • Wordfence blocked over 2,500 attacks targeting CVE-2023-6933 in 24 hours; monitor WAF/IDS logs for unauthenticated POST requests carrying serialized PHP objects to Better Search Replace endpoints.
  • Some logged attempts may overlap with CVE-2023-25135; correlate detections carefully to attribute correctly to CVE-2023-6933.
  • The vulnerability is triggered via deserialization of untrusted input; look for PHP object injection payloads (e.g., serialized 'O:' strings) in request bodies to WordPress AJAX or REST API endpoints associated with the Better Search Replace plugin.
  • ·The plugin itself contains no POP chain; exploitation requires a secondary plugin or theme on the same WordPress installation to supply a usable POP chain. Severity is context-dependent.
  • ·Broad detection rules may conflate CVE-2023-6933 activity with CVE-2023-25135; tune signatures to distinguish between the two vulnerabilities.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.