CVE-2025-10313

HIGH

Find And Replace content for WordPress <= 1.1 - Unauthenticated Stored XSS and Arbitrary Content Replacement

Title source: llm

Description

The Find And Replace content for WordPress plugin for WordPress is vulnerable to unauthorized Stored Cross-Site Scripting and Arbitrary Content Replacement due to a missing capability check on the far_admin_ajax_fun() function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that can make privilege escalation and malicious redirects possible.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/find-and-replace-content/trunk/function.php?rev=1601465

Product

https://wordpress.org/plugins/find-and-replace-content/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/c0469ece-6f5f-4774-8094-f7f67702a775?source=cve

Scores

CVSS v3 7.2

EPSS 0.0026

EPSS Percentile 17.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

jankimoradiya/Find And Replace content for WordPress < 1.1

Published Oct 15, 2025

Tracked Since Feb 18, 2026