Better Search Replace Vulnerability – Unauthenticated PHP Object Injection – CVE-2023-6933 | WordPress Plugin Vulnerability Report

Plugin Name: Better Search Replace

Key Information:

  • Software Type: Plugin
  • Software Slug: better-search-replace
  • Software Status: Active
  • Software Author: wpengine
  • Software Downloads: 12,169,696
  • Active Installs: 1,000,000
  • Last Updated: January 24, 2024
  • Patched Versions: 1.4.5
  • Affected Versions: <= 1.4.4

Vulnerability Details:

  • Name: Better Search Replace <= 1.4.4 - Unauthenticated PHP Object Injection
  • Type: Deserialization of Untrusted Data
  • CVE: CVE-2023-6933
  • CVSS Score: 9.8 (Critical)
  • Publicly Published: January 24, 2024
  • Researcher: Sam Pizzey
  • Description: The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Summary:

The Better Search Replace for WordPress has a critical vulnerability in versions up to and including 1.4.4 that allows unauthenticated PHP object injection. This vulnerability has been patched in version 1.4.5.

Detailed Overview:

The Better Search Replace plugin up to version 1.4.4 contains a vulnerability that allows unauthenticated attackers to inject malicious PHP objects due to the plugin deserializing user input without proper sanitization. Researcher Sam Pizzey disclosed that while no proof of concept chain currently exists within the vulnerable plugin itself that would enable remote code execution or other impacts, the presence of a POP chain in other installed plugins or themes could be leveraged to escalate the attack. With over 12 million downloads and an estimated 1 million active installations, this is a widely used plugin and prompt updating is advised. Version 1.4.5 patches the vulnerability by properly sanitizing input prior to deserializing.

Advice for Users:

  1. Immediate Action: Update to version 1.4.5 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review server logs for any suspicious requests targeting the Better Search Replace plugin. Also check with your host or security team to see if any potential attacks have been blocked.
  3. Alternate Plugins: Consider alternate search/replace plugins like Search & Replace or Search Regex as a precaution, even after updating.
  4. Stay Updated: Enable automatic background updates in WordPress to ensure plugins stay updated to the latest secure versions.

Conclusion:

The quick response by the developers to patch this critical remote code execution vulnerability is reassuring. All users of Better Search Replace are strongly urged to update immediately to protect their WordPress sites.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/better-search-replace

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/better-search-replace/better-search-replace-144-unauthenticated-php-object-injection

Detailed Report:

Keeping your WordPress website and its plugins up-to-date is critical for security, as outdated software can contain dangerous vulnerabilities. This point has been underscored this week by the disclosure of a critical security flaw impacting popular WordPress plugin Better Search Replace. Versions up to and including 1.4.4 contain an “unauthenticated PHP object injection” vulnerability, allowing potential malicious attackers to inject harmful PHP code into vulnerable sites. In this post, I’ll discuss the details of this vulnerability, how site owners can update to stay secure, and additional best practices around WordPress security and maintenance.

About Better Search Replace

Better Search Replace is an extremely popular WordPress plugin with over 12 million downloads and an estimated 1 million active installs. The plugin provides enhanced search and replace functionality within the WordPress database. It was developed by WPEngine and is currently still an active project.

The Vulnerability Researcher

Sam Pizzey disclosed that Better Search Replace versions up to and including 1.4.4 contain a vulnerability allowing unauthenticated remote attackers to inject PHP objects due to the plugin improperly deserializing user input. While the plugin itself does not contain a full proof of concept attack, if other installed plugins or the theme have vulnerable PHP object chains, this could enable remote code execution, data access or deletion, or other critical impacts.

The vulnerability has been assigned a CVSS score of 9.8, meaning it is critical severity. All unsupported versions of Better Search Replace should be considered highly dangerous.

Updating to Stay Secure

Developers have acted quickly to patch the vulnerability in version 1.4.5. All users of Better Search Replace should immediately update to this latest version or higher.

You can update the plugin from the WordPress dashboard by:

  1. Going to “Plugins” and clicking “Update Now”
  2. Manually deleting the existing plugin and reinstalling fresh.

Be sure to verify the install by going to the plugin details and ensuring it is Version 1.4.5.

Additional Security Best Practices

While the prompt update addresses this current threat, site owners need to be proactive to protect against future vulnerabilities:

  • Enable automatic background updates in WordPress to maintain plugins/themes
  • Regularly audit plugins and remove unused old plugins
  • Consider security-focused plugins like Wordfence for alerting and firewall
  • Utilize security measures offered by your host
  • Schedule regular backups in case disaster strikes
  • Consider migrating to a managed WordPress host for fully managed security

For small business owners without much time to actively manage sites, seeking help from a managed hosting provider or WordPress support firm may be wise to offload the work of staying secure. They can help ensure everything stays updated, backups run smoothly, and issues get addressed without you needing to jump into action.

Staying Locked Down

This Better Search Replace situation exemplifies why constant vigilance around security is so vital for WordPress sites. New threats come out constantly, and outdated software is an easy open door for attacks. While extremely inconvenient to have yet another vulnerability to deal with, the WordPress community has acted admirably in identifying the issue and releasing a quick patch. Be sure to update and utilize other best practices to lock down tight. Reach out for any help keeping secured!

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Better Search Replace Vulnerability - Unauthenticated PHP Object Injection - CVE-2023-6933 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment