What the vulnerability does
01Description
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
Explanation of Vulnerability in Simple Terms
02Summary
Better Find and Replace versions up to 1.7.7 contain a code injection vulnerability that allows authenticated users to execute arbitrary PHP code on the site. An attacker with low-level access can inject malicious code through the plugin's find-and-replace functionality, gaining full control over the WordPress installation. This affects confidentiality, integrity, and availability of the site.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full access to the database and files.
Potential impact on your site
04Site Impact
A compromised user account can lead to complete site takeover, data theft, malware injection, or site defacement.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level user account (e.g., contributor or editor role) on the WordPress site.
Key dates
06Disclosure timeline
November 8, 2025
CVE published
April 8, 2026
Record updated