CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-6933 – Better Search Replace <= 1.4.4 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-6933
24 Jan 2024 — The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. El complemento Better Searc... • https://github.com/w2xim3/CVE-2023-6933 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2593 – Better Search and Replace < 1.4.1 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2022-2593
01 Aug 2022 — The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks El plugin Better Search Replace de WordPress versiones anteriores a 1.4.1, no sanea y escapa apropiadamente los datos de la tabla antes de insertarlos en una consulta SQL, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de inyección SQL. The plugin Better Search Repl... • https://wpscan.com/vulnerability/229a065e-1062-44d4-818d-29aa3b6b6d41 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •