Description
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.
Published: 2025-11-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API usage leading to potential cost
Action: Patch
AI Analysis

Impact

The Better Find and Replace – AI-Powered Suggestions plugin contains a missing capability check in the rtafar_ajax() function across all versions up to 1.7.7. As a result, any authenticated user with Subscriber-level access can trigger the plugin to call the OpenAI API using the site’s API key. This allows the attacker to consume API quota and potentially generate unintended charges to the site owner, without exposing code execution or data exfiltration abilities.

Affected Systems

WordPress sites using the Better Find and Replace – AI-Powered Suggestions plugin, versions up through 1.7.7, are affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, but the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to have authenticated access as a Subscriber; once logged in, the attacker can simply invoke the unauthorized API endpoint to trigger costly OpenAI requests.

Generated by OpenCVE AI on April 22, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Better Find and Replace – AI-Powered Suggestions plugin to a patched version that resolves the missing capability check.
  • If upgrading immediately is not possible, block or hard‑code the rtafar_ajax endpoint for Subscriber users (e.g., via a custom plugin or .htaccess) to prevent unauthorized API calls until a patch is applied.
  • Consider revoking or temporarily disabling the site's OpenAI API key in WordPress settings to stop external calls until the plugin is fixed.

Generated by OpenCVE AI on April 22, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Codesolz
Codesolz better Find And Replace
Wordpress
Wordpress wordpress
Vendors & Products Codesolz
Codesolz better Find And Replace
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.
Title Better Find and Replace <= 1.7.7 - Missing Authorization
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Codesolz Better Find And Replace
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:20.588Z

Reserved: 2025-10-27T16:20:33.609Z

Link: CVE-2025-12360

cve-icon Vulnrichment

Updated: 2025-11-06T14:51:32.468Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T08:15:38.720

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses