Description
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
Published: 2025-11-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Limited Code Injection
Action: Apply Patch
AI Analysis

Impact

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to limited code injection through the rtafar_ajax function. The flaw stems from insufficient input validation and a lack of restrictions, allowing an authenticated user with at least subscriber privileges to invoke arbitrary plugin functions and execute code within those functions. This weakness is a classic code injection scenario (CWE‑94) and can lead to remote code execution on the server if the plugin code runs with elevated privileges.

Affected Systems

The issue impacts all versions of the Better Find and Replace – AI‑Powered Suggestions plugin released by codesolz up to and including 1.7.7. Any installation using a version equal to or lower than 1.7.7 is affected; versions beyond 1.7.7 are not impacted.

Risk and Exploitability

The CVSS score of 8.8 signals a high‑severity flaw. The EPSS score is less than 1 percent, indicating a very low predicted exploitation probability at the time of analysis, and it is not listed in the CISA KEV catalog. However, because the attack requires a valid account with subscriber or higher access, the threat remains significant for sites with many users or who rely on the plugin. An attacker would use the rtafar_ajax endpoint to trigger the plugin’s internal functions and inject malicious code, potentially compromising the site.

Generated by OpenCVE AI on April 22, 2026 at 13:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version (1.7.8 or newer) where the issue has been fixed.
  • If an upgrade is not immediately possible, limit access to the rtafar_ajax endpoint to administrators only or remove the endpoint entirely.
  • Review user roles and reduce the number of subscriber accounts or downgrade them to lower roles to shrink the attack surface.
  • Consider disabling or uninstalling the plugin if it is no longer essential to your operations.

Generated by OpenCVE AI on April 22, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Codesolz
Codesolz better Find And Replace
Wordpress
Wordpress wordpress
Vendors & Products Codesolz
Codesolz better Find And Replace
Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
Title Better Find and Replace <= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Codesolz Better Find And Replace
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:53.286Z

Reserved: 2025-08-21T23:29:44.529Z

Link: CVE-2025-9334

cve-icon Vulnrichment

Updated: 2025-11-10T19:09:14.004Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T06:15:41.270

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:00:18Z

Weaknesses