A surge in malicious activity aimed at exploiting a critical law in the widely-used ‘Better Search Replace’ WordpPress plugin has recently been detected. In the past 24 hours alone, researchers have identified thousands of attempts to compromise security.
'Better Search Replace' has over one million installations and is a go-to tool for administrators during website migrations, offering search and replace functionalities for databases. It allows admins to search and replace specific text, manage serialised data, and provides selective replacement options. The plugin supports WordPress Multisite and includes a 'dry run' option to ensure smooth operations.
To counter a critical-severity PHP object injection vulnerability (CVE-2023-6933), the plugin's vendor, WP Engine, released version 1.4.5 last week. This vulnerability, stemming from deserialising untrusted input, opens the door for unauthenticated attackers to inject a PHP object. Successful exploitation could result in code execution, unauthorised access to sensitive data, file manipulation or deletion, and triggering an infinite loop denial of service.
While it’s been noted that 'Better Search Replace' isn't directly vulnerable, it can be exploited if another plugin or theme on the same site contains the Property Oriented Programming (POP) chain. The exploitability of PHP object injection vulnerabilities often depends on the presence of a suitable POP chain.
Hackers are actively taking advantage of this vulnerability, with Wordfence reporting over 2,500 attacks blocked in the past 24 hours targeting CVE-2023-6933.
All versions of 'Better Search Replace' up to 1.4.4 are affected, and users are strongly advised to upgrade to version 1.4.5 promptly.
As of the latest update on January 25th, Wordfence clarified detection rules, acknowledging some logged attempts related to other flaws, such as CVE-2023-25135. However, the majority of attacks are focused on exploiting CVE-2023-6933.
