CVE-2025-9334
Published: 08 November 2025
Summary
CVE-2025-9334 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-9334 is a limited code injection vulnerability affecting the Better Find and Replace – AI-Powered Suggestions plugin for WordPress in all versions up to and including 1.7.7. The issue stems from insufficient input validation and restrictions in the 'rtafar_ajax' function, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed 'rtafar_ajax' function, they can invoke arbitrary plugin functions and execute code within those functions, potentially leading to unauthorized data access, modification, or disruption within the affected WordPress environment.
Advisories and references, including a Wordfence threat intelligence report, highlight specific code locations such as RTAFAR_CustomAjax.php (line 29), DbReplacer.php (line 507), and Util.php (line 233) in the plugin's trunk repository. A changeset at plugins.trac.wordpress.org/changeset/3389979/ likely documents remediation efforts, urging administrators to update the plugin beyond version 1.7.7 or restrict access to the vulnerable AJAX endpoint.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38363
Vulnerability details
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes…
more
it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The limited code injection vulnerability allows authenticated Subscriber-level users to remotely call and execute arbitrary plugin functions, enabling exploitation of remote services (T1210) and privilege escalation beyond normal user permissions (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of insufficient input validation in the rtafar_ajax function, preventing arbitrary plugin function calls and code injection.
Requires timely remediation of the code injection flaw by updating the plugin beyond version 1.7.7, as indicated in the advisory changeset.
Enforces least privilege to restrict Subscriber-level users from executing arbitrary high-impact plugin functions via the vulnerable AJAX endpoint.