Hackers target WordPress database plugin active on 1 million sites

Researchers have identified a surge in malicious activity targeting a critical severity vulnerability in the ‘Better Search Replace’ WordPress plugin. This plugin, boasting over one million installations, facilitates search and replace operations in databases during website migrations to new domains or servers.

Administrators leverage Better Search Replace to locate and replace specific text in the database or manage serialized data. The plugin offers selective replacement options, WordPress Multisite support, and a “dry run” feature to ensure smooth operations.

WP Engine, the plugin vendor, released version 1.4.5 last week to address a critical PHP object injection vulnerability identified as CVE-2023-6933. This security issue arises from deserializing untrusted input, enabling unauthenticated attackers to inject a PHP object. Successful exploitation could result in code execution, access to sensitive data, file manipulation or deletion, and triggering an infinite loop denial of service condition.

Wordfence, a WordPress security firm, reports having blocked over 2,500 attacks targeting CVE-2023-6933 in the past 24 hours. Although Better Search Replace isn’t directly vulnerable, it can be exploited to execute code, retrieve sensitive data, or delete files if another plugin or theme on the same site contains a Property Oriented Programming (POP) chain.

PHP object injection vulnerabilities are often exploited when a suitable POP chain is present, triggered by the injected object to perform malicious actions. The identified flaw affects all Better Search Replace versions up to 1.4.4, and users are strongly advised to upgrade to version 1.4.5 promptly.

As of the latest update, Wordfence clarified that their initial detection rule may have captured attempts related to other vulnerabilities, such as CVE-2023-25135. However, the majority of the attacks are attributed to exploitation attempts for CVE-2023-6933.

WordPress.org recorded nearly half a million downloads of Better Search Replace over the past week, with 81% of active versions being 1.4, though the minor release remains unclear.

Sharing Is Caring:

Leave a Comment