| Plugin Name | WordPress Better Find and Replace Plugin |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2026-3369 |
| Urgency | Low |
| CVE Publish Date | 2026-04-18 |
| Source URL | CVE-2026-3369 |
Authenticated (Author) Stored XSS in Better Find and Replace (<= 1.7.9): What Site Owners Need to Know
On April 16, 2026 a stored cross-site scripting (XSS) vulnerability affecting the WordPress plugin “Better Find and Replace — AI‑Powered Suggestions” (plugin slug: real-time-auto-find-and-replace) was published and assigned CVE-2026-3369. The issue impacts plugin versions up to and including 1.7.9 and was fixed in version 1.8.0.
As security professionals based in Hong Kong, we provide a concise, pragmatic explanation for site owners, developers and incident responders: what the issue is, plausible attack scenarios, immediate mitigations if you cannot update right away, and durable hardening and detection steps. No sensationalism — just actionable guidance you can apply now.
Executive summary
- Vulnerability: Stored Cross‑Site Scripting (XSS) in the Better Find and Replace plugin (<=1.7.9).
- CVE: CVE‑2026‑3369
- Impact: Attackers with Author-level privileges can store malicious JavaScript in the title of an uploaded image. If that title is later rendered without proper escaping, the script executes in the context of the viewer (admin, editor, etc.).
- Severity: Low (Patch scoring CVSS 5.9); stored XSS can still be chained to escalate privileges, hijack sessions, perform actions, or persist backdoors.
- Required privilege: Author (authenticated)
- Patched: Update to version 1.8.0 or later to resolve the issue.
- Immediate mitigation: Update plugin. If updating is impossible, temporarily revoke upload capability from risky roles, scan attachment titles for suspicious input, and deploy server-side rules to block requests containing script-like payloads in form fields or file metadata.
How this vulnerability works (technical overview — high level)
Stored XSS occurs when user-controlled input is stored and later rendered without proper output encoding. In this case:
- An authenticated user with Author capability can upload an image (create an attachment post).
- The plugin allows the attachment’s title (
post_title) to contain unsanitized HTML/JavaScript. - When that title is rendered without escaping (admin screens or public pages), the malicious script executes in the viewer’s browser.
- If the viewer is privileged, the attacker can perform actions in that user’s session, exfiltrate tokens, or persist further payloads.
Important nuance: exploitation requires an authenticated Author (or higher) account to upload the crafted attachment. This lowers the surface compared to a public unauthenticated upload, but many sites allow uploads from contributors or authors, so the risk remains notable.
Realistic attack scenarios
Stored XSS is a flexible primitive for attackers. Practical misuse cases include:
- Malicious Author on a compromised account
If an attacker acquires Author credentials (phishing, credential stuffing, reused passwords), they can upload an image with a crafted title and await privileged staff viewing the media or admin screens. - Abuse of collaborative workflows
Multi-author blogs, external contributors or guest authors can be leveraged to introduce payloads during normal editorial activity. - Privilege escalation & persistence
Executed scripts in an admin’s browser can issue privileged AJAX requests, create admin accounts, install plugins/themes, or inject further backdoors. - Front-end exposure
If a theme outputs attachment titles without escaping on the front end, public visitors may be affected depending on site templates. - CSRF chaining
With XSS you can read CSRF tokens and perform state-changing operations as the victim user.
What to do immediately — short checklist (action now)
- Update the plugin to v1.8.0 or later (the fastest, definitive fix).
- If you cannot update immediately:
