A critical vulnerability in WordPress’s popular Better Search Replace plugin has been discovered and patched. With over 1 million active website installs, the severity of the vulnerability has a score of 9.8 on a scale of 1-10, posing a significant threat to website security.
Better Search Replace Plugin Overview
Developed by WP Engine, the Better Search Replace plugin, initially created by Delicious Brains, aids in simplifying and automating search and replace tasks within a WordPress website’s database. This functionality is handy during site or server migration. The plugin comes in free and paid Pro versions, offering a range of features, including serialization support, table selection, and WordPress Multisite support.
PHP Object Injection Vulnerability
The critical vulnerability identified in the Better Search Replace plugin is associated with a PHP Object Injection flaw. In WordPress, PHP Object Injection occurs when user-supplied input is improperly unserialized, enabling attackers to execute malicious code, compromise security, and retrieve sensitive data.
The Open Worldwide Application Security Project (OWASP) describes PHP Object Injection as an application-level vulnerability that can lead to various malicious attacks, including Code Injection, SQL Injection, Path Traversal, and Application Denial of Service.
In the case of Better Search Replace, the vulnerability stems from inadequate sanitization of user inputs during the deserialization process in search and replace operations. Though the plugin lacked a POP chain – a series of linked classes and functions that could trigger malicious actions during object unserialization – the risk persisted if other plugins or themes on the same website contained a POP chain.
Swift Response from WP Engine
Following the responsible disclosure of the vulnerability by Wordfence on December 18, 2023, WP Engine promptly addressed the issue. The plugin was updated to version 1.4.5 on January 18, 2024, implementing security measures to prevent the instantiation of objects during search and replace operations, thereby mitigating the risk of running potentially malicious code stored in the database.
Key Takeaways
Users of the Better Search Replace plugin need to update to the latest version, 1.4.5, immediately to safeguard their websites from potential unauthorized access, arbitrary file deletions, and data breaches. Failure to update could expose websites to serious security threats, considering the widespread use of this plugin in the WordPress ecosystem. Stay secure by staying updated.
***
Do you need help in maintaining your WordPress website? Cybertegic is a web design agency in Los Angeles that can help you maintain your WordPress website. Schedule a free business consultation today.
