Vulnerabilities and security researches forsearch-and-replace search-and-replace

Jun 14, 2026

CVE, Research URL: 1daf69e73e2c83843daa9fd94f5abd449c12f160
Home page URL: Security reports for Search & Replace
Application: Search & Replace
Date: May 23, 2024
Research Description: Search & Replace [search-and-replace] < 3.2.2 Search & Replace <= 3.2.1 - Authenticated (Administrator+) SQL injection The Search & Replace plugin for WordPress is vulnerable to SQL Injection via the select_tables parameter in all version up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 3.2.2.
Status: vulnerable

Aug 27, 2024

PSC, Research URL: PSC-2024-64522
Home page URL: Security reports for Search & Replace
Application: Search & Replace
Date: Aug 05, 2025
Research Description: With the advent of the Plugin Security Certification (PSC) from CleanTalk, the "Search & Replace" plugin has attained a new level of trust and reliability. This certification underscores the commitment to robust security measures, ensuring the integrity of your WordPress database management.
Affected versions: Min 3.2.3, max 3.2.3.
Status: SAFE & CERTIFIED

Jul 15, 2024

CVE, Research URL: CVE-2024-38759
Home page URL: Security reports for Search & Replace
Application: Search & Replace
Date: Jul 22, 2024
Research Description: Deserialization of Untrusted Data vulnerability in WP MEDIA SAS Search & Replace search-and-replace.This issue affects Search & Replace: from n/a through 3.2.2.
Affected versions: max 3.2.3.
Status: vulnerable

Jun 15, 2024

CVE, Research URL: CVE-2024-4145
Home page URL: Security reports for Search & Replace
Application: Search & Replace
Date: Jun 13, 2024
Research Description: The Search & Replace WordPress plugin before 3.2.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks (such as within a multi-site network).
Affected versions: max 3.2.2.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2024-0756
Home page URL: Security reports for Search & Replace
Application: Search & Replace
Date: Jun 04, 2024
Research Description: The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 lacks validation of URLs when adding iframes, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page.
Affected versions: max 3.2.2.
Status: vulnerable