CVE Alert: CVE-2025-10313 – jankimoradiya – Find And Replace content for WordPress
CVE-2025-10313
The Find And Replace content for WordPress plugin for WordPress is vulnerable to unauthorized Stored Cross-Site Scripting and Arbitrary Content Replacement due to a missing capability check on the far_admin_ajax_fun() function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that can make privilege escalation and malicious redirects possible.
AI Summary Analysis
Risk verdict
High risk: unauthenticated stored XSS and content replacement via the vulnerable plugin, with no current exploitation activity indicated.
Why this matters
Businesses rely on WordPress sites hosting content via plugins; an unauthenticated vector that can inject scripts and alter content can lead to credential theft, session hijacking, or user redirection. The scope metric suggests potential impact beyond the immediate plugin, threatening site integrity and user trust across affected deployments.
Most likely attack path
Remote attacker can target sites hosting the plugin without credentials, using the far_admin_ajax_fun() endpoint lacking proper authorization. Crafted input is stored and subsequently rendered in pages, enabling script execution for site visitors. The absence of user interaction and the network-based attack surface raise the likelihood of automated probing and rapid spread to any exposed page content; the scope change implies possible collateral impact on other components.
Who is most exposed
WordPress sites running the Find And Replace content for WordPress plugin (especially older 1.0–1.1) on self-hosted environments, common among small to mid-sized sites and agencies.
Detection ideas
- Look for unusual script tags or inline scripts in posts/pages edited via the affected plugin.
- Monitor for unexpected redirects or UI changes from pages using plugin content.
- Inspect access logs for unauthenticated requests to the plugin’s AJAX endpoints.
- Alert on content changes that introduce script payloads or external script references.
- Correlate rapid content changes with spikes in user-reported anomalies.
Mitigation and prioritisation
- Patch or upgrade plugin to a non-vulnerable version or remove the plugin if not essential.
- Disable the vulnerable AJAX endpoint or enforce authentication/least-privilege access.
- Implement input validation and content sanitisation at the application layer; consider a Web Application Firewall rule to block suspicious payloads.
- Schedule immediate patching in maintenance windows; test staging sites first.
- If feasible, conduct a site-wide content integrity check and incident response drills.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
