CVE-2023-6933

HIGH EXPLOITED NUCLEI LAB

Better Search Replace <= 1.4.4 - Unauthenticated PHP Object Injection via Untrusted Input Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-6933 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Trex96, w2xim3. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Proof-of-Concept for CVE-2023-6933, demonstrating a PHP Object Injection vulnerability in the Better Search Replace WordPress plugin. The PoC includes a Nuclei template for detection and exploitation, along with detailed documentation and a Docker environment for testing.

Description

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Exploits (2)

nomisec WORKING POC
by Trex96 · remote
https://github.com/Trex96/vulnerable-bsr-lab-CVE-2023-6933

This repository contains a functional Proof-of-Concept for CVE-2023-6933, demonstrating a PHP Object Injection vulnerability in the Better Search Replace WordPress plugin. The PoC includes a Nuclei template for detection and exploitation, along with detailed documentation and a Docker environment for testing.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Better Search Replace WordPress Plugin ≤ 1.4.4
No auth needed
Prerequisites: Nuclei v3.0+ · Target with vulnerable plugin version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by w2xim3 · remote
https://github.com/w2xim3/CVE-2023-6933

This repository provides a detailed technical analysis of CVE-2023-6933, a PHP Object Injection vulnerability in the 'Better Search Replace' WordPress plugin. It includes a step-by-step breakdown of the exploitation process, leveraging the `WP_HTML_Token` class in WordPress 6.4.0 to achieve remote code execution (RCE) through deserialization.

Classification
Writeup 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: WordPress Better Search Replace plugin (versions up to 1.4.4) and WordPress 6.4.0
No auth needed
Prerequisites: Presence of a vulnerable plugin or theme with a PHP Object Injection chain · WordPress 6.4.0 with the `WP_HTML_Token` class
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Better Search Replace < 1.4.5 - PHP Object Injection
CRITICALVERIFIEDby pussycat0x
FOFA: body="/wp-content/plugins/better-search-replace/"

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.6805
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull trex999/vulnerable-bsr-lab:latest

Details

VulnCheck KEV 2024-01-25
CWE
CWE-502
Status published
Products (2)
wpengine/Better Search Replace < 1.4.4
wpengine/better_search_replace < 1.4.5
Published Feb 05, 2024
Tracked Since Feb 18, 2026