Malicious activity has been detected targeting a critical vulnerability in the ‘Better Search Replace’ WordPress plugin, with researchers observing thousands of attacks within the past 24 hours. The plugin, boasting over one million installations, aids in search and replace operations within databases during website migrations. Despite the plugin vendor, WP Engine, releasing version 1.4.5 last week to address a critical PHP object injection vulnerability (CVE-2023-6933), attackers are exploiting the flaw. The vulnerability allows unauthenticated attackers to inject a PHP object, potentially leading to code execution, data access, file manipulation, or a denial-of-service condition.
The security issue originates from deserializing untrusted input, making it possible for unauthenticated attackers to inject a PHP object, enabling malicious actions. While Better Search Replace isn’t directly vulnerable, it can be exploited if another plugin or theme on the same site contains the necessary Property Oriented Programming (POP) chain. Within the past 24 hours, WordPress security firm Wordfence reported blocking over 2,500 attacks targeting CVE-2023-6933. Users are strongly urged to upgrade to version 1.4.5 promptly, as the flaw impacts all Better Search Replace versions up to 1.4.4.
The WordPress plugin flaw has garnered attention due to its widespread usage, recording close to half a million downloads over the past week, with 81% of active versions being 1.4. Download statistics from WordPress.org indicate a substantial user base, making prompt updates crucial. It’s important to note that the exploitability of PHP object injection vulnerabilities often hinges on the existence of a suitable POP chain, triggered by the injected object for malicious actions. While WP Engine has addressed the vulnerability, the incident underscores the ongoing challenges of maintaining security in widely-used plugins within the WordPress ecosystem.