Skip to main content
CVE Vulnerability Database

CVE-2025-9334: WordPress Better Find & Replace RCE Flaw

CVE-2025-9334 is a code injection vulnerability in the Better Find and Replace WordPress plugin, allowing authenticated subscribers to execute arbitrary code. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-9334 Overview

CVE-2025-9334 affects the Better Find and Replace – AI-Powered Suggestions plugin for WordPress in all versions up to and including 1.7.7. The vulnerability stems from insufficient input validation and restriction on the rtafar_ajax function. Authenticated attackers with Subscriber-level access or higher can call arbitrary plugin functions and execute code within them. The flaw is classified under CWE-94 (Improper Control of Generation of Code) and impacts confidentiality, integrity, and availability of affected WordPress sites.

Critical Impact

Authenticated Subscriber-level users can invoke arbitrary plugin functions through the exposed AJAX handler, leading to limited code injection on the WordPress instance.

Affected Products

  • Better Find and Replace – AI-Powered Suggestions plugin for WordPress
  • All versions up to and including 1.7.7
  • WordPress sites with Subscriber-level (or higher) user registration enabled

Discovery Timeline

  • 2025-11-08 - CVE-2025-9334 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9334

Vulnerability Analysis

The Better Find and Replace – AI-Powered Suggestions plugin exposes the rtafar_ajax AJAX action without sufficient input validation on the requested function name or its parameters. The handler routes incoming AJAX requests to internal plugin functions based on user-supplied input. Because the allowed function set is not properly restricted, an authenticated attacker can pivot the AJAX endpoint into a generic function dispatcher inside the plugin.

Review of the plugin source in core/actions/RTAFAR_CustomAjax.php, core/admin/functions/DbReplacer.php, and core/lib/Util.php shows that the AJAX handler passes attacker-controlled values into routines that perform database replacement and utility operations. This enables an attacker to invoke privileged plugin operations from a low-privileged session.

Root Cause

The root cause is improper control of code generation [CWE-94] in the rtafar_ajax handler. The function lacks a strict allowlist for callable plugin functions and does not enforce a capability check appropriate to the operations being executed. Subscriber-level authentication is treated as sufficient for actions that should require administrative privilege.

Attack Vector

The attack vector is network-based and requires only Subscriber-level authentication, which many WordPress sites grant through open registration. An attacker sends a crafted POST request to admin-ajax.php targeting the rtafar_ajax action with a function name and parameters that map to sensitive plugin routines. The plugin then executes the chosen function, allowing limited code injection through plugin-controlled execution paths such as database content replacement. Detailed source-level references are available in the Wordfence Vulnerability Report and the WordPress Plugin Ajax Code.

Detection Methods for CVE-2025-9334

Indicators of Compromise

  • POST requests to wp-admin/admin-ajax.php containing the action=rtafar_ajax parameter originating from Subscriber-level accounts
  • Unexpected modifications to WordPress database content matching find-and-replace patterns not initiated by administrators
  • New or modified administrator accounts, options, or post content shortly after rtafar_ajax requests
  • Plugin error log entries referencing RTAFAR_CustomAjax.php, DbReplacer.php, or Util.php

Detection Strategies

  • Inspect web server access logs for repeated rtafar_ajax action invocations from non-administrative sessions
  • Compare installed plugin version against the patched release referenced in WordPress Changeset #3389979
  • Monitor for authenticated low-privilege users issuing AJAX requests with parameters such as function names or callable identifiers

Monitoring Recommendations

  • Alert on any Subscriber or Contributor account triggering plugin AJAX endpoints associated with database modification
  • Track WordPress audit logs for content rewrites, option changes, or user role changes correlating with rtafar_ajax traffic
  • Baseline normal AJAX call patterns and flag deviations involving the Better Find and Replace plugin

How to Mitigate CVE-2025-9334

Immediate Actions Required

  • Update the Better Find and Replace – AI-Powered Suggestions plugin to a version newer than 1.7.7 that includes the fix from WordPress Changeset #3389979
  • Audit existing user accounts and remove untrusted Subscriber-level accounts created during the exposure window
  • Review database content and administrative settings for unauthorized modifications
  • Rotate WordPress administrator credentials and any API keys stored in plugin options

Patch Information

The vendor addressed the issue in the source tree referenced by WordPress Changeset #3389979. The fix restricts which functions can be invoked through the rtafar_ajax handler and tightens capability checks. Administrators should install the latest plugin release from the WordPress plugin repository.

Workarounds

  • Deactivate and remove the Better Find and Replace plugin until the patched version is installed
  • Disable open user registration or restrict the default role to a level that cannot reach admin-ajax.php authenticated actions
  • Apply a Web Application Firewall rule that blocks unauthenticated and Subscriber-level POST requests to admin-ajax.php with action=rtafar_ajax
bash
# Example WAF rule blocking the vulnerable AJAX action for low-privilege roles
# (ModSecurity-style pseudo-rule)
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
  "chain,deny,status:403,id:1009334,msg:'Block CVE-2025-9334 rtafar_ajax abuse'"
  SecRule ARGS:action "@streq rtafar_ajax" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.