WordPress Better Search Replace Plugin Vulnerability Hit +1 Million Sites

Better Search Replace Plugin Vulnerability

The WordPress community has been alerted to a critical vulnerability in the widely-used Better Search Replace plugin. This security flaw poses a significant threat to website integrity and user data, impacting potentially over a million sites.

It’s a stark reminder of the vulnerabilities that can exist in popular web tools and the importance of timely updates and security checks in the digital realm.

Unauthenticated PHP Object Injection Vulnerability

PHP Object Injection vulnerabilities arise when a PHP application unsafely unserializes user-supplied data, potentially allowing attackers to manipulate the logic of an application and perform unauthorized actions.

Better Search Replace <= 1.4.4

Open Worldwide Application Security Project (OWASP) stated:

The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met:

  • The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a ‘POP chain’.
  • All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.

The example below shows a PHP class with an exploitable __destruct method:

class Example1
   public $cache_file;

   function __construct()
      // some PHP code...

   function __destruct()
      $file = "/var/www/cache/tmp/{$this->cache_file}";
      if (file_exists($file)) @unlink($file);

// some PHP code...

$user_data = unserialize($_GET['data']);

// some PHP code...

In the case of the Better Search Replace WordPress plugin, this particular vulnerability allows for such exploitations, posing a critical threat to website security.

Note: Wordfence blocked 128 attacks targeting this vulnerability in the past 24 hours.

Severity Level Of Vulnerability

The vulnerability in the Better Search Replace plugin is notable for its severity. Rated as ‘Critical’ with a score of 9.8, it indicates a high potential for significant damage.

Severity Level Of Better Search Replace Plugin Vulnerability

This could include arbitrary file deletions, unauthorized access to sensitive information, and even execution of malicious code. The high severity score underlines the urgency for users of the plugin to update to the safer version to protect their WordPress sites.

  • Low 0.1-3.9
  • Medium 4.0-6.9
  • High 7.0-8.9
  • Critical 9.0-10.0

WP Engine, the developers of the Better Search Replace plugin, quickly addressed the critical vulnerability with a prompt update. This update is designed to mitigate the risks associated with the PHP Object Injection vulnerability, showcasing WP Engine’s dedication to maintaining the security and integrity of WordPress sites.

This proactive step is crucial for users of the plugin, as it provides necessary protection against the identified security threats.

Better Search Replace WordPress Plugin

WordPress Better Search Replace Plugin

The Better Search Replace plugin for WordPress, developed by WP Engine, is a vital tool for website administrators.

It streamlines the process of updating links or text across a WordPress website, particularly useful during site migrations. The plugin offers both free and Pro versions.

The free version covers basic search and replace functionalities, while the Pro version provides advanced features like backup and import/export capabilities.

The plugin website lists the following features of the free version:

  • Serialization support for all tables
  • The ability to select specific tables
  • The ability to run a “dry run” to see how many fields will be updated
  • No server requirements aside from a running installation of WordPress
  • WordPress Multisite support

It’s especially handy for WordPress Multisite setups, where managing multiple sites under a single network is streamlined. The plugin’s popularity stems from its user-friendly interface, reliability, and effectiveness in simplifying complex tasks. This makes it a trusted and valuable asset for WordPress site management.


The incident with the Better Search Replace plugin serves as a critical reminder of the dynamic and ever-changing nature of web security.

It underscores the importance for WordPress site owners to stay informed and proactive in safeguarding their online assets.

This entails a continuous commitment to vigilance and adherence to best practices in website maintenance and security, ensuring the protection and integrity of their digital presence.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)