CVE-2025-9334
Published: 08 November 2025
Summary
CVE-2025-9334 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause of insufficient input validation in the rtafar_ajax function, preventing arbitrary plugin function calls and code injection.
Requires timely remediation of the code injection flaw by updating the plugin beyond version 1.7.7, as indicated in the advisory changeset.
Enforces least privilege to restrict Subscriber-level users from executing arbitrary high-impact plugin functions via the vulnerable AJAX endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The limited code injection vulnerability allows authenticated Subscriber-level users to remotely call and execute arbitrary plugin functions, enabling exploitation of remote services (T1210) and privilege escalation beyond normal user permissions (T1068).
NVD Description
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes…
more
it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
Deeper analysisAI
CVE-2025-9334 is a limited code injection vulnerability affecting the Better Find and Replace – AI-Powered Suggestions plugin for WordPress in all versions up to and including 1.7.7. The issue stems from insufficient input validation and restrictions in the 'rtafar_ajax' function, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed 'rtafar_ajax' function, they can invoke arbitrary plugin functions and execute code within those functions, potentially leading to unauthorized data access, modification, or disruption within the affected WordPress environment.
Advisories and references, including a Wordfence threat intelligence report, highlight specific code locations such as RTAFAR_CustomAjax.php (line 29), DbReplacer.php (line 507), and Util.php (line 233) in the plugin's trunk repository. A changeset at plugins.trac.wordpress.org/changeset/3389979/ likely documents remediation efforts, urging administrators to update the plugin beyond version 1.7.7 or restrict access to the vulnerable AJAX endpoint.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects the 'Better Find and Replace – AI-Powered Suggestions' WordPress plugin, which provides AI-driven suggestions functioning as an assistant tool for content management, fitting the Enterprise AI Assistants category.