CVE-2025-10313
📋 TL;DR
This vulnerability in the Find And Replace content WordPress plugin allows unauthenticated attackers to inject malicious scripts into website pages and replace arbitrary content. All WordPress sites using vulnerable plugin versions are affected, potentially leading to privilege escalation and malicious redirects.
💻 Affected Systems
- Find And Replace content WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, deface websites, steal sensitive data, install backdoors, and redirect visitors to malicious sites.
Likely Case
Attackers inject malicious scripts to steal session cookies, redirect users to phishing sites, or display unwanted content.
If Mitigated
Limited to content manipulation without privilege escalation if proper input validation and output encoding are implemented.
🎯 Exploit Status
No authentication required, simple AJAX endpoint exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2 or later
Vendor Advisory: https://wordpress.org/plugins/find-and-replace-content/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Find And Replace content' plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Find And Replace content plugin
wp plugin deactivate find-and-replace-content
Restrict AJAX endpoint access
linuxAdd .htaccess rules to block unauthenticated access to the vulnerable endpoint
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$ [NC]
RewriteCond %{QUERY_STRING} action=far_admin_ajax_fun
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Disable the Find And Replace content plugin immediately
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Find And Replace content' version 1.1 or earlierCheck Version:
wp plugin get find-and-replace-content --field=versionVerify Fix Applied:
Verify plugin version is 1.2 or later, or plugin is deactivated/removed📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=far_admin_ajax_fun parameter
- Unusual content modifications in WordPress database
Network Indicators:
- HTTP requests to admin-ajax.php with suspicious payloads
- Unexpected JavaScript injection in page responses
SIEM Query:
source="web_access" AND uri="/wp-admin/admin-ajax.php" AND query="*action=far_admin_ajax_fun*"