CVE-2025-9334 HIGH

CVE-2025-9334: Better Find and Replace <= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection

Vendor Codesolz
Product Better Find and Replace – AI-Powered Suggestions
Weakness CWE-94 · Code injection
Published November 8, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.

Explanation of Vulnerability in Simple Terms

02Summary

Better Find and Replace versions up to 1.7.7 contain a code injection vulnerability that allows authenticated users to execute arbitrary PHP code on the site. An attacker with low-level access can inject malicious code through the plugin's find-and-replace functionality, gaining full control over the WordPress installation. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full access to the database and files.

Potential impact on your site

04Site Impact

A compromised user account can lead to complete site takeover, data theft, malware injection, or site defacement.

Conditions required to exploit

05Prerequisites

Attacker must have a low-level user account (e.g., contributor or editor role) on the WordPress site.

Key dates

06Disclosure timeline

November 8, 2025 CVE published
April 8, 2026 Record updated