CVE-2025-24734

CVE-2025-24734 is a Missing Authorization vulnerability (CWE-862) in the WordPress plugin Better Find and Replace, also known as real-time-auto-find-and-replace, developed by CodeSolz. This issue enables privilege escalation and affects all versions of the plugin from n/a through 1.6.7 inclusive. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and significant impacts across confidentiality, integrity, and availability.

A low-privileged authenticated user, such as a contributor or subscriber with PR:L access, can exploit this vulnerability remotely over the network without user interaction. Exploitation allows the attacker to escalate privileges, potentially gaining unauthorized control over WordPress site functions, data, and configurations as permitted by the elevated role.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/real-time-auto-find-and-replace/vulnerability/wordpress-better-find-and-replace-plugin-1-6-7-privilege-escalation-vulnerability?_s_id=cve provides further details on the vulnerability, including recommendations for mitigation such as updating the plugin if a patched version is available or removing it if unnecessary.