CVE-2023-6933: 
WordPress vulnerability analysis and mitigation

The Better Search Replace plugin for WordPress contains a critical vulnerability (CVE-2023-6933) affecting all versions up to and including 1.4.4. This security flaw, discovered in early 2024, allows unauthenticated attackers to perform PHP Object Injection through the deserialization of untrusted input. The vulnerability has received a critical severity rating of 9.8 out of 10 (Security Online, NVD).

The vulnerability stems from the plugin's handling of PHP Object Injection via deserialization of untrusted input. While the Better Search Replace plugin itself does not contain a Property-Oriented Programming (POP) chain, the presence of such a chain in another installed plugin or theme could amplify the threat. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The exploitation of this vulnerability could lead to severe consequences including arbitrary file deletions, unauthorized access to sensitive data, and potential arbitrary code execution if a POP chain is present through additional plugins or themes installed on the target system (Security Online, NVD).

WP Engine has released version 1.4.5 of the Better Search Replace plugin to address this vulnerability. Site administrators are strongly advised to update their installations to this latest version immediately to mitigate the risk (Security Online, ASEC).