Security Advisory: Hackers Target WordPress Database Plugin Active on 1 Million Sites

Hackers Target WordPress Database Plugin Active on 1 Million Sites (CVE-2023-6933)


Better Search Replace is a widely-used WordPress plugin, boasting over one million installations. It’s an essential tool for admins, facilitating search and replace operations in databases during site migrations to new domains or servers. Its capabilities include handling serialized data, providing selective replacement options, supporting WordPress Multisite, and offering a “dry run” option for seamless operations.

A critical severity flaw in the ‘Better Search Replace’ plugin has sparked concern due to recent malicious activities. This vulnerability, arising from an unspecified input manipulation, leads to a code injection vulnerability. Identified as CVE-2023-6933 and rated 9.8 on the Common Vulnerability Scoring System (CVSS), the flaw is significant, although it lacks a Property Oriented Programming (POP) chain in the plugin. However, if a POP chain exists in an additional plugin or theme on the target system, it could enable attackers to delete files, access sensitive data, or execute code.

Wordfence, a security firm specializing in WordPress, reports that it has thwarted over 2,500 attacks targeting this vulnerability on its client sites. This indicates a substantial risk, with over 150,000 WordPress sites potentially vulnerable to takeover.

Affected Devices

All versions of Better Search Replace up to 1.4.4 are affected by this flaw.

Recommended Remediations

CTRL strongly recommend upgrading all Better Search Replace versions to 1.4.5 as soon as possible to mitigate attack vectors.