The plugin does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack
Make a logged in admin open a page with the below code
CPE | Name | Operator | Version |
---|---|---|---|
find-and-replace-all | lt | 1.3 |