CVE Alert: CVE-2025-9334 - codesolz - Better Find and Replace – AI-Powered Suggestions

CVE-2025-9334

HIGHNo exploitation known

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the ‘rtafar_ajax’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.

CVSS v3.1 (8.8)

Vendor

codesolz

Product

Better Find and Replace – AI-Powered Suggestions

Versions

* lte 1.7.7

CWE

CWE-94, CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-08T05:52:43.249Z

Updated

2025-11-08T05:52:43.249Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/232f3a15-3bd3-44fa-aa07-f055e8fcda88?source=cve

https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L29

https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/lib/Util.php#L233

https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/admin/functions/DbReplacer.php#L507

https://plugins.trac.wordpress.org/changeset/3389979/

AI Summary Analysis

Risk verdict: High risk: authenticated limited code injection could enable remote code execution via the plugin; no KEV or EPSS exploitation signals are provided in the data.

Why this matters: An attacker with Subscriber+ access could run arbitrary PHP within the site context, potentially compromising the entire WordPress installation, exfiltrating data or implanting backdoors. This is particularly dangerous for e-commerce, CRM, or sites handling sensitive personal or financial data, where persistence and access to credentials are attractive for attackers.

Most likely attack path: The flaw requires network access but no user interaction and relies on low privileges (Subscriber+). An authenticated user can trigger the vulnerable rtafar_ajax endpoint to call arbitrary plugin functions, bypassing input validation to achieve code injection. The attack would operate within the plugin’s context (Scope: unchanged) with high impact on confidentiality, integrity and availability.

Who is most exposed: WordPress sites using Better Find and Replace – AI-Powered Suggestions, especially multisite or organisations with many registered users; hosted environments where Subscriber+ accounts exist are at higher risk.

Detection ideas:

Unusual or elevated admin-ajax.php requests targeting rtafar_ajax with odd parameters.
PHP errors or logs showing execution of unexpected plugin functions.
New or anomalous subscriber accounts or activity tied to the plugin.
Defacement indicators or unexpected content changes within the plugin’s files.
Spikes in 500 errors after authenticated requests to the plugin.

Mitigation and prioritisation:

Patch to the latest version (post-1.7.7) or disable the plugin if a fix is unavailable.
Enforce least privilege; remove or restrict Subscriber+ rights for this plugin where possible.
Deploy WAF rules to validate rtafar_ajax inputs and block suspicious calls.
Enable file integrity monitoring and application-layer auditing around the plugin.
Test in staging, validate backups, and schedule a controlled patch window.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: better-find-and-replace-ai-powered-suggestions, codesolz, CVE, cve-2025-9334, OSINT, threatintel