CVE-2025-10313
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| janki_moradiya | find_and_replace_content | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Find And Replace content for WordPress plugin allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS) and Arbitrary Content Replacement because the plugin's far_admin_ajax_fun() function lacks a proper capability check. This means attackers can inject malicious web scripts into pages, potentially leading to privilege escalation and malicious redirects.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts into your WordPress site, which can lead to unauthorized privilege escalation and redirect your users to malicious sites. This compromises the security and integrity of your website and can harm your users.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the vulnerable 'Find And Replace content for WordPress' plugin (version 1.1 and earlier) from your WordPress installation, as the plugin has been temporarily closed and removed from download availability pending a full security review. Additionally, ensure that your WordPress installation does not use this plugin or replace it with a secure alternative. Monitoring for unauthorized script injections and privilege escalations is also recommended. [2]