Vulnerabilities and security researches forreal-time-auto-find-and-replace real-time-auto-find-and-replace

Jun 07, 2024

CVE, Research URL: CVE-2021-24676
Home page URL: Security reports for Better Find and Replace
Application: Better Find and Replace
Date: Oct 04, 2021
Research Description: The Better Find and Replace WordPress plugin before 1.2.9 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue
Affected versions: max 1.3.4.
Status: vulnerable

CVE, Research URL: CVE-2022-1472
Home page URL: Security reports for Better Find and Replace
Application: Better Find and Replace
Date: Jun 20, 2022
Research Description: The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection
Affected versions: max 1.3.6.
Status: vulnerable

Aug 02, 2024

CVE, Research URL: CVE-2024-39636
Home page URL: Security reports for Better Find and Replace
Application: Better Find and Replace
Date: Aug 02, 2024
Research Description: Deserialization of Untrusted Data vulnerability in CodeSolz Better Find and Replace.This issue affects Better Find and Replace: from n/a through 1.6.1.
Affected versions: max 1.6.2.
Status: vulnerable

Jan 29, 2025

CVE, Research URL: CVE-2025-24734
Home page URL: Security reports for Better Find and Replace
Application: Better Find and Replace
Date: Jan 27, 2025
Research Description: Missing Authorization vulnerability in CodeSolz Better Find and Replace allows Privilege Escalation. This issue affects Better Find and Replace: from n/a through 1.6.7.
Affected versions: max 1.6.8.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-12360
Home page URL: Security reports for Better Find and Replace
Application: Better Find and Replace
Date: Nov 06, 2025
Research Description: The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.
Affected versions: max 1.7.8.
Status: vulnerable

Apr 17, 2026

CVE, Research URL: CVE-2026-3369
Home page URL: Security reports for Better Find and Replace
Application: Better Find and Replace
Date: Apr 16, 2026
Research Description: The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.8.0.
Status: vulnerable