CVE-2023-6933: Better Search Replace < 1.4.5 - PHP Object Injection

日期: 2025-08-01 | 影响软件: Better Search Replace | POC: 已公开

漏洞描述

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

PoC代码[已公开]

id: CVE-2023-6933

info:
  name: Better Search Replace < 1.4.5 - PHP Object Injection
  author: pussycat0x
  severity: critical
  description: |
    The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
  impact: |
    Attackers can execute arbitrary code, delete files, or retrieve sensitive data on the server.
  remediation: Update to the latest version of the plugin, version 1.4.5 or later.
  reference:
    - https://posimyth.ticksy.com/ticket/2713734/
    - https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-6933
    cwe-id: CWE-502
    epss-score: 0.93295
    epss-percentile: 0.99794
    cpe: cpe:2.3:a:wpengine:better_search_replace:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    fofa-query: body="/wp-content/plugins/better-search-replace/"
    max-request: 1
    vendor: wpengine
    product: better_search_replace
    framework: wordpress
  tags: cve,cve2023,wordpress,wp-plugin,wp,wpscan,better-search-replace,passive,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/better-search-replace/README.txt"
      - "{{BaseURL}}/wp-content/plugins/better-search-replace/readme.txt"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'Better Search')"
          - "compare_versions(version, '< 1.4.5')"
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'
# digest: 4a0a004730450221009a0c279bf425326654af628526c9fc582c7fb3dcb96ff25f4af32a3f5a081ded022049e99c106040bed29fc2e8552567e3417d2318a77db4f802c90d3e067716935c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-6933.yaml