Better Search Replace is a popular WordPress plugin with more than 1 million active installations. It is used by developers and power users to affect changes across the entire WordPress site by querying and updating the site’s database. At Inacom, our WordPress Developers use it constantly to edit sites, move websites between staging and production, and any other number of ways. It was recently announced that the plugin previous to version. This security issue exists in versions prior to 1.4.5, meaning if it you have the plugin installed and you haven’t run your WordPress plugin updates since January 18, 2024, you’re probably at risk.
How Severe is this Better Search Replace Problem?
According to the Common Vulnerability Scoring System, this security issue is rated a 9.8. That’s just about as bad as it gets. This is considered a CRITICAL vulnerability that should be fixed ASAP by your IT Security team. While I haven’t seen any records of successful attacks using this issue, it’s a serious threat that somebody with malicious intent could exploit.
What is the Security Problem with Better Search Replace?
Better Search Replace v 1.1.4 and earlier contain a A PHP Object Injection vulnerability, This makes it possible for unauthenticated attackers to inject a PHP Object into your system. Attackers can inject code, SQL into your database, and traverse directories with such an exploit.
While the rest of the vulnerability puzzle isn’t contained in Better Search Replace, it’s possible for this issue to be combined with security flaws in other plugins to inject rogue instructions into your WordPress website.
I’m using a Web Application Firewall to Protect WordPress. Am I protected?
The short answer: Maybe.
If your WAF is out of date, regardless of what you use, you are probably not protected from this Better Search Replace problem. You should take a backup of your WordPress site and then update. Check the release notes for your WAF and see if the matter has been resolved.
The most popular WAF for WordPress is Wordfence. Wordfence has created a rules update for their customers. In its free form, updates are delayed for 30 days. You have to have a valid subscription to be a part of the fastest update channel. If you aren’t paying for Wordfence, you’ll be patched up in a couple of weeks.
If you’re using a different WAF for your WordPress site, please refer to their alert system to see if you are protected or not.
Inacom’s Managed WordPress Solved This Issue Quickly!
If you’re subscribed to Inacom’s Managed WordPress service, your website received a virtual patch overnight on Tuesday. This provided immediate protection from this security issue without the risk of an unattended plugin update taking your site down. We followed up on Wednesday morning with Better Search Replace being updated on all affected sites.
If you Manage Your Own WordPress Website, Update Better Search Replace (and the Rest of your Site).
If you’re on Inacom’s basic web hosting, we do not provide virtual patching or inventory the plugins in use on your unmanaged website. Please log in to your site, create a backup, and then update any of your outdated plugins and themes, as well as the WordPress core if that needs to be done. Or you can request that we handle the issue for you. It’s a relatively quick fix. We’ll also take a new backup of your website and get all of your other WordPress updates knocked out while we’re working on your website.