WARNING: CRITICAL INJECTION VULNERABILITY IN THE BETTER SEARCH REPLACE PLUGIN FOR WORDPRESS, PATCH IMMEDIATELY!
CVE-2023-6933
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection. Depending if there is a POP chain present, the exploitation of this vulnerability could enable attackers to perform a range of malicious activities such as retrieving sensitive data and removing arbitrary files. The impact on the Confidentiality, Integrity and Availability is High. There are no privileges or user interaction required to exploit this vulnerability.
All versions up to, and including, 1.4.4 are vulnerable via deserialization of untrusted input. Wordfence claimed they blocked 2,585 attacks targeting this vulnerability in the past 24 hours.
Description
CVE-2023-6933 makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Update the plugin to version 1.4.5 or later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.