CVE-2025-9334

CVE-2025-9334 is a limited code injection vulnerability affecting the Better Find and Replace – AI-Powered Suggestions plugin for WordPress in all versions up to and including 1.7.7. The issue stems from insufficient input validation and restrictions in the 'rtafar_ajax' function, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed 'rtafar_ajax' function, they can invoke arbitrary plugin functions and execute code within those functions, potentially leading to unauthorized data access, modification, or disruption within the affected WordPress environment.

Advisories and references, including a Wordfence threat intelligence report, highlight specific code locations such as RTAFAR_CustomAjax.php (line 29), DbReplacer.php (line 507), and Util.php (line 233) in the plugin's trunk repository. A changeset at plugins.trac.wordpress.org/changeset/3389979/ likely documents remediation efforts, urging administrators to update the plugin beyond version 1.7.7 or restrict access to the vulnerable AJAX endpoint.