eastbaycyber

CVE-2025-11024: Better Search Replace flaw

CVE explainers 8 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-14
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

CVE-2025-11024 is a medium-severity information disclosure vulnerability in the Better Search Replace WordPress plugin. The issue affects versions through 1.4.11 and may allow Subscriber-level users or other low-privilege authenticated accounts to expose sensitive files through the plugin’s bsr-ajax functionality. For WordPress defenders, the priority is clear: update to a release newer than 1.4.11, review logs for suspicious requests, and rotate secrets if exposure is suspected.

If you manage multiple sites, you may also want to review our related guidance on wordpress plugin security best practices and how to harden wordpress after a breach.

Vulnerability at a glance

Field Value
CVE ID CVE-2025-11024
CVSS score 6.5 Medium
Attack vector Network
Auth required Yes; low privileges, Subscriber-level or higher
Patch status Yes; remediation is indicated by WordPress.org changeset 3379384, in a release newer than 1.4.11

This is a medium-severity WordPress plugin flaw with a direct confidentiality impact. The issue does not require administrator privileges, which is what makes it operationally important in multi-user WordPress environments, membership sites, customer portals, forums, and any deployment where low-trust accounts can be created or compromised.

The core takeaway is simple: if your site runs Better Search Replace 1.4.11 or earlier, treat it as vulnerable until you verify that the plugin has been upgraded to a release newer than 1.4.11 that includes the WordPress.org fix changeset.

What is CVE-2025-11024?

CVE-2025-11024 is a sensitive information exposure issue in the Better Search Replace plugin for WordPress. It is categorized as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. According to the available advisory data, the vulnerable behavior exists in the plugin’s bsr-ajax action.

The root cause is described as a missing capability check combined with insufficient restrictions on a URL parameter. In practice, that means the plugin exposed functionality to authenticated users who should not have had access to it, while also failing to properly constrain what resources could be requested.

The available advisory material states that an attacker with Subscriber-level access or above may be able to expose arbitrary web pages and files from the server, including configuration files and other sensitive resources, if the server allows direct request access to those files. The examples specifically called out include wp-config.php and .htaccess.

Just as important is what this vulnerability is not. The advisory material provided here does not indicate remote code execution, arbitrary file upload, arbitrary file write, or denial of service. This is primarily a confidentiality issue. If exploited, it may expose credentials, salts, API keys, or configuration details that could later be used in follow-on compromise.

AnalystImpact · assess the risk

Who is affected?

The affected product is the Better Search Replace plugin for WordPress. The vulnerable range is stated as all versions up to and including 1.4.11.

That means:

  • Vulnerable: 1.4.11 and older
  • Not safe to assume fixed: any deployment where the exact installed version is unknown
  • Safer state: the first plugin release newer than 1.4.11 that contains WordPress.org changeset 3379384

This vulnerability matters most in WordPress environments where low-privilege accounts exist or can be obtained. Examples include:

  • Membership sites
  • LMS platforms
  • Forums and community sites
  • WooCommerce stores with customer accounts
  • Shared staging environments
  • Sites with open registration enabled

If your site has no untrusted authenticated users, your exposure is narrower, but still not zero. Compromised credentials, reused passwords, or dormant accounts can still provide the needed access.

There is also an environmental dependency. The advisory notes that exploitation depends on the server allowing direct request access to the targeted files or pages. Some server configurations may make successful retrieval less likely, but defenders should not rely on that as a control in place of patching.

CVSS score and severity

CVE-2025-11024 has a CVSS v3.1 base score of 6.5, rated Medium, with this vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Here is what that means in practical terms:

  • AV:N / Network: the issue can be exploited remotely over normal web access
  • AC:L / Low complexity: no unusual exploit conditions are described
  • PR:L / Low privileges required: Subscriber-level access may be enough
  • UI:N / No user interaction: no admin click or approval is needed
  • S:U / Scope unchanged: impact remains within the vulnerable component boundary
  • C:H / High confidentiality impact: sensitive files may be disclosed
  • I:N / No integrity impact: no evidence of content tampering in the advisory
  • A:N / No availability impact: no outage behavior is described

Operationally, the most important part of the score is the combination of low privileges required and high confidentiality impact. Subscriber accounts are often treated as low risk, but in this case they may become a path to sensitive configuration exposure.

Exploitation status

Based on the material provided, there is no confirmed public proof-of-concept and no confirmed evidence of in-the-wild exploitation at this time.

That should not be misread as low practical risk. The attack requirements are limited:

  1. A vulnerable version of Better Search Replace
  2. An authenticated low-privilege account
  3. A server configuration that permits access to the targeted resources

In many WordPress deployments, those conditions are realistic enough that patching should still be prioritized. Even without a public PoC, the vulnerability description is specific enough that capable attackers may be able to reproduce the behavior.

Bottom line

CVE-2025-11024 is an authenticated information disclosure vulnerability in the Better Search Replace WordPress plugin. It affects all versions through 1.4.11 and may allow low-privilege users to expose sensitive files through the bsr-ajax functionality.

There is no confirmed public PoC and no confirmed active exploitation in the source material provided here, but the risk is still meaningful because the required privileges are low and the information exposed could enable deeper compromise later.

If you run Better Search Replace, update now, review logs for bsr-ajax activity, and rotate secrets if there is any sign that sensitive files may have been disclosed.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

How to detect possible exploitation

Start by identifying any WordPress sites that have Better Search Replace 1.4.11 or earlier installed. In managed environments, use:

  • Plugin inventory platforms
  • WordPress management consoles
  • EDR or asset discovery tools
  • CMDB records
  • WP-CLI across your fleet

Next, hunt for requests involving the vulnerable action name bsr-ajax. Also search for requests that mention sensitive file names such as:

  • wp-config.php
  • .htaccess

A simple log hunting keyword set is:

"bsr-ajax" OR "wp-config.php" OR ".htaccess"

If your SIEM supports SQL-like search, you can start with:

SELECT timestamp, src_ip, username, uri, http_method, status
FROM web_logs
WHERE uri LIKE '%bsr-ajax%'
   OR uri LIKE '%wp-config.php%'
   OR uri LIKE '%.htaccess%';

Correlate findings with:

  • Newly created Subscriber accounts
  • Unusual login origins
  • Bursts of registration activity
  • Access to admin-ajax.php immediately after login
  • Follow-on suspicious admin activity
  • Unexpected plugin or theme changes
  • Use of API keys or credentials stored in configuration files

If your site lacks rich application logs, review reverse proxy, WAF, and web server telemetry instead. Any suspicious bsr-ajax activity on a vulnerable version deserves investigation.

Mitigation and patching

The primary fix is to upgrade Better Search Replace to a version newer than 1.4.11 that includes the WordPress.org remediation changeset 3379384.

If you use WP-CLI, a practical upgrade workflow is:

wp plugin update better-search-replace

Then verify the installed version:

wp plugin get better-search-replace --field=version

If you cannot yet confirm the fixed package version from your repository or mirror, the safest temporary option is to disable the plugin until you can deploy a patched release:

wp plugin deactivate better-search-replace

Temporary risk reduction steps

If immediate patching is not possible, reduce exposure with these measures:

  • Disable open registration where business requirements allow
  • Review whether Subscriber accounts are necessary
  • Suspend stale or suspicious low-privilege accounts
  • Restrict direct access to sensitive files
  • Confirm that wp-config.php is not web-accessible
  • Review web server handling of dotfiles and configuration paths

These controls do not replace patching, but they can reduce the easiest exploitation paths.

Incident response guidance

If you believe exploitation may have occurred, treat this as a secrets exposure incident.

At minimum, consider rotating:

  • Database credentials
  • WordPress salts and keys
  • API tokens
  • Third-party service secrets stored in configuration files
  • Any credentials present in exposed environment or backup files

Also review for follow-on compromise. Attackers who obtain configuration files often use them quietly later rather than causing obvious disruption during the initial access.

For site owners that need to improve password hygiene after a disclosure event, a password manager such as Try 1Password → can be useful for rotating and storing new credentials safely. If you are investigating suspicious account activity from untrusted networks, using a trusted VPN such as Check NordVPN pricing → may also help administrators protect their own access while traveling or working remotely.

References

The following references were identified in the available research material:

Reference URL
Wordfence vulnerability entry https://www.wordfence.com/threat-intel/vulnerabilities/id/7ce4ce03-db5a-4dce-a821-e81a973581f5?source=cve
WordPress.org vulnerable file reference https://plugins.trac.wordpress.org/browser/better-search-replace/tags/1.4.11/includes/class-bsr-admin.php#L110
WordPress.org fix changeset https://plugins.trac.wordpress.org/changeset/3379384/

The NVD entry should also be treated as a primary source for the vulnerability classification, CVSS vector, and affected version statement. Where the exact first fixed release number is not explicitly stated in the source material, defenders should confirm the installed plugin version against the authoritative plugin release history and ensure it is newer than 1.4.11.

Last verified: 2026-05-14

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.