CVE-2023-6933
published 2024-02-05CVE-2023-6933: The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
68.05%
99.2th percentile
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpengine | better_search_replace | < 1.4.5 | 1.4.5 |
| wpengine | better_search_replace | <= 1.4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
body contains 'Better Search' AND status_code == 200 AND version < 1.4.5
- →Probe for the presence of the vulnerable plugin by requesting its README.txt file and checking for 'Better Search' in the body with a version string below 1.4.5 (extracted via regex 'Stable tag: ([0-9.]+)'). ↗
- →FOFA fingerprint query for exposed instances of the vulnerable plugin: body="/wp-content/plugins/better-search-replace/" ↗
- →Wordfence blocked over 2,500 attacks targeting CVE-2023-6933 in 24 hours; monitor WAF/IDS logs for unauthenticated POST requests carrying serialized PHP objects to Better Search Replace endpoints. ↗
- →Some logged attempts may overlap with CVE-2023-25135; correlate detections carefully to attribute correctly to CVE-2023-6933. ↗
- →The vulnerability is triggered via deserialization of untrusted input; look for PHP object injection payloads (e.g., serialized 'O:' strings) in request bodies to WordPress AJAX or REST API endpoints associated with the Better Search Replace plugin. ↗
- ·The plugin itself contains no POP chain; exploitation requires a secondary plugin or theme on the same WordPress installation to supply a usable POP chain. Severity is context-dependent. ↗
- ·Broad detection rules may conflate CVE-2023-6933 activity with CVE-2023-25135; tune signatures to distinguish between the two vulnerabilities. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Better Search Replace Plugin up to 1.4.4 on WordPress code injection (ID 3023674)
vuldb·2026-04-11·CVSS 8.8
CVE-2023-6933 [HIGH] Better Search Replace Plugin up to 1.4.4 on WordPress code injection (ID 3023674)
A vulnerability was found in Better Search Replace Plugin up to 1.4.4 on WordPress. It has been declared as critical. Affected by this issue is some unknown functionality. Such manipulation leads to code injection.
This vulnerability is listed as CVE-2023-6933. The attack must be carried out from within the local network. There is no available exploit.
GHSA
GHSA-8gwq-mv35-rmmj: The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
ghsa_unreviewed·2024-02-06
CVE-2023-6933 [CRITICAL] CWE-502 GHSA-8gwq-mv35-rmmj: The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
VulnCheck
wpengine better_search_replace Deserialization of Untrusted Data
vulncheck·2023·CVSS 8.8
CVE-2023-6933 [HIGH] wpengine better_search_replace Deserialization of Untrusted Data
wpengine better_search_replace Deserialization of Untrusted Data
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected: wpengine better_search_replace
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.bleepingcomp
No detection rules found.
Nuclei
Better Search Replace < 1.4.5 - PHP Object Injection
nuclei·CVSS 9.8
CVE-2023-6933 [CRITICAL] Better Search Replace < 1.4.5 - PHP Object Injection
Better Search Replace < 1.4.5 - PHP Object Injection
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Template:
id: CVE-2023-6933
info:
name: Better Search Replace < 1.4.5 - PHP Object Injection
author: pussycat0x
severity: critical
description: |
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and
https://plugins.trac.wordpress.org/browser/better-search-replace/trunk/includes/class-bsr-db.php#L334https://plugins.trac.wordpress.org/changeset/3023674/better-search-replace/trunk/includes/class-bsr-db.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/895f2db1-a2ed-4a17-a4f6-cd13ee8f84af?source=cvehttps://plugins.trac.wordpress.org/browser/better-search-replace/trunk/includes/class-bsr-db.php#L334https://plugins.trac.wordpress.org/changeset/3023674/better-search-replace/trunk/includes/class-bsr-db.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/895f2db1-a2ed-4a17-a4f6-cd13ee8f84af?source=cve
2024-02-05
Published
Exploited in the wild