Hackers Target WordPress Database Plugin Active On 1 Million Sites
Malicious activity targeting a critical severity flaw in the ‘Better Search Replace’ WordPress plugin has been detected, with researchers observing thousands of attempts in the past 24 hours.
Better Search Replace is a WordPress plugin with more than one million installations that helps with search and replace operations in databases when moving websites to new domains or servers.
Admins can use it to search and replace specific text in the database or handle serialized data, and it provides selective replacement options, support for WordPress Multisite, and also includes a “dry run” option to make sure that everything works fine.
The plugin vendor, WP Engine, released version 1.4.5 last week to address a critical-severity PHP object injection vulnerability tracked as CVE-2023-6933.
The security issue stems from deserializing untrusted input and allows unauthenticated attackers to inject a PHP object. Successful exploitation could lead to code execution, access to sensitive data, file manipulation or deletion, and triggering an infinite loop denial of service condition.
The description of the flaw in Wordfence’s tracker states that Better Search Replace isn’t directly vulnerable but can be exploited to execute code, retrieve sensitive data, or delete files if another plugin or theme on the same site contains the Property Oriented Programming (POP) chain.
The exploitability of PHP object injection vulnerabilities often relies on the presence of a suitable POP chain that can be triggered by the injected object to perform malicious actions.
Hackers have seized the opportunity to exploit the vulnerability as WordPress security firm Wordfence reports that it has blocked over 2,500 attacks targeting CVE-2023-6933 on its clients over the past 24 hours.
The flaw impacts all Better Search Replace versions up to 1.4.4. Users are strongly recommended to upgrade to 1.4.5 as soon as possible.
Download stats on WordPress.org recorded close to a half million downloads over the past week, with 81% of the active versions being 1.4 but unclear about the minor release.
Update 1/25 – Wordfence has told BleepingComputer that they initially used a broad rule to detect the activity described above, and as a result, some of the logged attempts concern other flaws, like CVE-2023-25135. However, most of the attacks are attributed to exploitation attempts for CVE-2023-6933.