January 30, 2024

Better Search Replace WordPress Vulnerability Affects Up To +1 Million Sites

Better Search Replace WordPress Vulnerability Affects Up To +1 Million Sites

Introduction: A Pivotal Discovery in WordPress Plugin Security

In a significant development, a critical severity vulnerability has been identified and promptly patched in the widely-used Better Search Replace plugin for WordPress. With over 1 million active installations, the potential impact of this vulnerability could extend to arbitrary code execution, sensitive file retrieval, and arbitrary file deletions. Let’s delve into the details of this critical security flaw and understand its implications.

Assessing Severity Levels: A Critical Rating

Severity Point System:

1.Low: 0.1-3.9
2.Medium: 4.0-6.9
3.High: 7.0-8.9
4.Critical: 9.0-10.0

The severity level assigned to the identified vulnerability in the Better Search Replace plugin is classified as Critical, denoted by a high score of 9.8 on the severity scale, highlighting the gravity of the security risk.

Better Search Replace Plugin Overview

Developed by WP Engine, the Better Search Replace plugin plays a pivotal role in simplifying and automating search and replace tasks on WordPress website databases. Originally created by Delicious Brains, the plugin facilitates seamless execution of these tasks, proving particularly valuable during site or server migration. Available in both free and paid Pro versions, the plugin’s popularity is attributed to its ease of use and historical reputation as a reliable tool.

Better Search Replace WordPress Vulnerability Affects Up To +1 Million Sites

Features of the Free Version:

1. Serialization support for all tables
2.Selection of specific tables
3. “Dry run” capability for assessing field updates
4. No specific server requirements beyond a running WordPress installation
5. WordPress Multisite support

Pro Version Enhancements:

1.Change tracking
2.Database backup and import during plugin operation
3.Extended support

The Vulnerability: PHP Object Injection

The identified vulnerability falls under the category of PHP Object Injection, a critical application-level vulnerability. In the context of WordPress, this vulnerability arises when user-supplied input is unsafely unserialized. Unserialization is the process of converting string representations of objects back into PHP objects.

OWASP Description of PHP Object Injection:

“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal, and Application Denial of Service, depending on the context.”
The vulnerability stems from inadequate sanitization of user inputs, allowing attackers to inject serialized objects, potentially leading to arbitrary code execution or compromising website security.

The Better Search Replace Plugin's Exposure

Wordfence, a cybersecurity organization, sheds light on the specifics of the vulnerability in the Better Search Replace plugin:
“The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.”
In response to this critical revelation, WP Engine swiftly addressed the issue with the release of version 1.4.5 on January 18, 2024.

Security Measure Implemented:

“Security: Unserializing an object during search and replace operations now passes ‘allowed_classes’ => false to avoid instantiating the object and potentially running malicious code stored in the database.”

Conclusion: Prioritizing Website Security

The discovery and subsequent mitigation of this critical vulnerability underscore the importance of prioritizing website security. WordPress users, especially those with the Better Search Replace plugin, are strongly advised to promptly update to version 1.4.5 to mitigate potential risks and ensure the safeguarding of their websites.