cleantalk
Vulnerabilities and Security Researches

Better Find and Replace, CVE-2026-3369

CVE, Research URL

CVE-2026-3369

Home page URL

Security reports for Better Find and Replace

Application

Better Find and Replace

Published on
Apr 16, 2026
Research Description
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.8.0.
Status
vulnerable
Previous vulnerability researches
Prodigy Commerce (CVE-2024-54251) , Dec 11, 2024
Prodigy Commerce (CVE-2026-0926) , Apr 15, 2026
Prodigy Commerce (CVE-2024-54250) , Dec 15, 2024
New vulnerability
DirectoryPress – Business Directory And Classified Ad Listing (CVE-2026-3489) , Apr 17, 2026
Better Find and Replace (CVE-2026-3369) , Apr 17, 2026
FastDup – Fastest WordPress Migration & Duplicator (CVE-2026-0604) , Apr 17, 2026
Short Link (CVE-2026-0813) , Apr 17, 2026
Nelio AB Testing (CVE-2026-40742) , Apr 17, 2026