CVE-2025-24734: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-24734) was discovered in CodeSolz Better Find and Replace WordPress plugin, affecting versions through 1.6.7. The vulnerability was disclosed on January 27, 2025, and allows privilege escalation in the affected plugin which has over 50,000 active installations (Patchstack Article).

The vulnerability stems from a combination of nonce leakage to low-privileged users and insufficient permission checks in the database text replacement function. The plugin's routing mechanism uses a class/method-based approach instead of traditional ajax hooks, where the vulnerability exists in the dbstringreplace function that can be called with the method value 'admin\functions\DbReplacer@dbstringreplace'. The issue received a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Patchstack Article).

The vulnerability allows a subscriber-level user to manipulate database content, specifically in wpposts, wppostmeta, and wp_options tables. An attacker could exploit this to change the default registration permission to Administrator level and create a new account with full administrative access to the WordPress site. Even if default registration is disabled, an attacker could enable it through the same vulnerability (Patchstack Article).

The vulnerability has been patched in version 1.6.8 of the Better Find and Replace plugin. The fix implements strict permission checks for executing sensitive methods. Users are strongly advised to update to version 1.6.8 or later immediately. Patchstack customers are automatically protected through virtual patching (Patchstack Article).