Vulnerabilities and security researches forstring-locator string-locator

Jun 06, 2024

CVE, Research URL: CVE-2022-0493
Home page URL: Security reports for String locator
Application: String locator
Date: Mar 28, 2022
Research Description: The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search, allowing a pattern to be provided, which will be used to output the relevant matches from the matching file, all content of the file can be disclosed.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-2434
Home page URL: Security reports for String locator
Application: String locator
Date: Sep 06, 2022
Research Description: The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions: Min -, max -.
Status: vulnerable

Aug 24, 2024

CVE, Research URL: CVE-2023-6987
Home page URL: Security reports for String locator
Application: String locator
Date: Aug 24, 2024
Research Description: The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited.
Affected versions: Min -, max -.
Status: vulnerable

Jan 22, 2025

CVE, Research URL: CVE-2024-10936
Home page URL: Security reports for String locator
Application: String locator
Date: Jan 21, 2025
Research Description: The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.
Affected versions: Min -, max -.
Status: vulnerable

Aug 13, 2025

PSC, Research URL: PSC-2025-64583
Home page URL: Security reports for String locator
Application: String locator
Date: Aug 13, 2025
Research Description: String Locator is a specialized WordPress plugin designed to help developers, administrators, and site managers quickly find and edit text strings within themes, plugins, and even WordPress core files. This tool eliminates the guesswork of locating hardcoded text by providing precise search results, including file paths, matching lines, and contextual previews. The plugin also features in-browser editing, allowing you to make changes directly from the search results. Before saving, it runs a built-in consistency check that scans for unbalanced braces, brackets, and parentheses, reducing the risk of syntax errors and broken functionality. While not a substitute for full testing, this safeguard significantly minimizes common editing mistakes. For maximum safety, it’s recommended to work on a staging site before deploying changes to production.
Affected versions: Min -, max -.
Status: SAFE & CERTIFIED