Cyber Resilience

CVE-2023-6933

HighPublic PoCRCE

Published: 05 February 2024

Published
05 February 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9303 99.8th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6933 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wpengine Better Search Replace. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Better Search Replace plugin for WordPress is affected by a PHP Object Injection vulnerability, tracked as CVE-2023-6933 and CWE-502, in all versions through 1.4.4. The issue stems from unsafe deserialization of untrusted input in the database-handling code within class-bsr-db.php, allowing an attacker to supply serialized PHP objects without any POP chain present in the plugin itself.

Unauthenticated remote attackers can trigger the flaw via crafted requests, and if a usable POP chain is supplied by another plugin or theme on the target site they may achieve arbitrary file deletion, sensitive data disclosure, or code execution. The vulnerability carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Public references include a WordPress plugin changeset that modifies the affected deserialization routine, indicating that administrators should apply the vendor update to eliminate the unsafe input handling. The associated EPSS score currently stands at 0.9303 with a recorded peak of 0.9340.

EU & UK References

Vulnerability details

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP…

more

chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpengine
better search replace
≤ 1.4.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References