WP-Safety

Better Find and Replace – AI-Powered Suggestions Security & Risk Analysis

wordpress.org/plugins/real-time-auto-find-and-replace

Search and replace text, images, URLs, footer credits, code blocks or jQuery-Ajax content in real time or in Database, easy user-interface

50K active installs v1.8.0 PHP 7.2+ WP 5.2+ Updated Mar 8, 2026
databasereplacesearchsearch-and-replacesearch-replace
89
A · Safe
CVEs total7
Unpatched0
Last CVENov 7, 2025
Plugin page Download
Safety Verdict

Is Better Find and Replace – AI-Powered Suggestions Safe to Use in 2026?

Generally Safe

Score 89/100

Better Find and Replace – AI-Powered Suggestions has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Nov 7, 2025Updated 25d ago
Risk Assessment

The "real-time-auto-find-and-replace" plugin v1.8.0 presents a mixed security picture. On the positive side, the static analysis reveals a limited attack surface with no unprotected entry points, a strong emphasis on capability checks, and the majority of SQL queries employing prepared statements. The absence of dangerous functions and file operations is also a good indicator. However, the presence of unsanitized paths in taint analysis, even if not flagged as critical or high severity in this scan, warrants attention as it suggests potential avenues for unexpected behavior or manipulation.

The vulnerability history for this plugin is a significant concern. With 7 known CVEs, including 4 high and 3 medium severity issues, the plugin has a track record of introducing serious security flaws. The common vulnerability types like Code Injection, Authorization issues, Deserialization, SQL Injection, and Cross-site Scripting indicate a recurring pattern of insecure coding practices. The fact that there are currently no unpatched vulnerabilities is a positive, but the historical trend suggests a high likelihood of future vulnerabilities if development practices do not improve.

In conclusion, while v1.8.0 has made some strides in immediate security measures like authentication and input sanitization for its entry points, the plugin's past security incidents and the identified taint flow issues are red flags. Users should proceed with caution, understanding that the plugin has a history of significant vulnerabilities. Ongoing vigilance and rapid patching of any future issues will be critical.

Key Concerns

  • Vulnerability history: 7 known CVEs, including 4 high and 3 medium
  • Taint analysis: 2 flows with unsanitized paths
  • SQL queries: 12% (2.4, rounded to 2 or 3) not using prepared statements
  • Output escaping: 28% (21.28, rounded to 21 or 22) not properly escaped
  • Bundled library: Select2 (potential outdatedness or vulnerabilities)
Vulnerabilities
7

Better Find and Replace – AI-Powered Suggestions Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
3

7 total CVEs

CVE-2025-9334high · 8.8Improper Control of Generation of Code ('Code Injection')

Better Find and Replace <= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection

Nov 7, 2025 Patched in 1.7.8 (1d)
CVE-2025-12360medium · 4.3Improper Authorization

Better Find and Replace <= 1.7.7 - Missing Authorization

Nov 5, 2025 Patched in 1.7.8 (1d)
CVE-2025-53466medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better Find and Replace <= 1.7.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 1.7.7 (8d)
CVE-2025-24734high · 8.8Missing Authorization

Better Find and Replace <= 1.6.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Jan 27, 2025 Patched in 1.6.8 (25d)
CVE-2024-39636high · 8.3Deserialization of Untrusted Data

Better Find and Replace <= 1.6.1 - Unauthenticated PHP Object Injection

Jul 29, 2024 Patched in 1.6.2 (12d)
CVE-2022-1472high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Better Find and Replace <= 1.3.5 - Admin+ SQL Injection

May 30, 2022 Patched in 1.3.6 (603d)
CVE-2021-24676medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better Find and Replace <= 1.2.8 - Reflected Cross-Site Scripting

Sep 6, 2021 Patched in 1.2.9 (869d)
Code Analysis
Analyzed Mar 16, 2026

Better Find and Replace – AI-Powered Suggestions Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
17 prepared
Unescaped Output
21
55 escaped
Nonce Checks
2
Capability Checks
27
File Operations
0
External Requests
1
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

85% prepared20 total queries

Output Escaping

72% escaped76 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
generate_page (core\admin\options\pages\AllMaskingRules.php:39)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Better Find and Replace – AI-Powered Suggestions Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_rtafar_ajaxcore\actions\RTAFAR_CustomAjax.php:21
noprivwp_ajax_rtafar_ajaxcore\actions\RTAFAR_CustomAjax.php:22
WordPress Hooks 27
actionadmin_enqueue_scriptscore\actions\RTAFAR_EnqueueScript.php:22
actionwp_enqueue_scriptscore\actions\RTAFAR_EnqueueScript.php:24
actionwp_enqueue_scriptscore\actions\RTAFAR_EnqueueScript.php:25
filterbfrp_url_typescore\actions\RTAFAR_Hooks.php:24
filterbfrp_select_tablescore\actions\RTAFAR_Hooks.php:27
filterbfrp_should_load_page_assetscore\actions\RTAFAR_Hooks.php:30
filterbfrp_should_load_form_assetscore\actions\RTAFAR_Hooks.php:31
actionadmin_menucore\actions\RTAFAR_RegisterMenu.php:59
actionadmin_enqueue_scriptscore\actions\RTAFAR_RegisterMenu.php:378
actionadmin_footercore\actions\RTAFAR_RegisterMenu.php:384
actionadmin_footercore\actions\RTAFAR_RegisterMenu.php:416
filterplugin_row_metacore\actions\RTAFAR_WP_Hooks.php:32
actiontemplate_redirectcore\actions\RTAFAR_WP_Hooks.php:34
actionupgrader_process_completecore\actions\RTAFAR_WP_Hooks.php:37
actionadmin_menucore\actions\RTAFAR_WP_Hooks.php:40
filterset-screen-optioncore\actions\RTAFAR_WP_Hooks.php:41
actioninitcore\actions\RTAFAR_WP_Hooks.php:44
filterure_capabilities_groups_treecore\actions\RTAFAR_WP_Hooks.php:45
filterure_custom_capability_groupscore\actions\RTAFAR_WP_Hooks.php:46
actionadmin_initcore\admin\builders\NoticeBuilder.php:28
actionadmin_noticescore\admin\builders\NoticeBuilder.php:29
filterbig_image_size_thresholdcore\admin\functions\MediaImageReplacer.php:88
actionadmin_footercore\admin\options\pages\AddNewRule.php:46
actionadmin_footercore\admin\options\pages\ReplaceInDB.php:45
actioninitreal-time-auto-find-and-replace.php:78
actioninitreal-time-auto-find-and-replace.php:81
actionplugins_loadedreal-time-auto-find-and-replace.php:84
Maintenance & Trust

Better Find and Replace – AI-Powered Suggestions Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 8, 2026
PHP min version7.2
Downloads1.2M

Community Trust

Rating92/100
Number of ratings167
Active installs50K
Alternatives

Better Find and Replace – AI-Powered Suggestions Alternatives

Better Search Replace

Better Search Replace

better-search-replace

A
98

A simple plugin to update URLs or other text in a database.

1.0M 2 CVEs
CM Search And Replace – Optimize content edits with a powerful search and replace tool

CM Search And Replace – Optimize content edits with a powerful search and replace tool

cm-on-demand-search-and-replace

B
74

Search and replace words, phrases, and HTML within your website posts and pages.

2K 1 unpatched
Quick Search Replace

Quick Search Replace

quick-search-replace

A
100

A simple and powerful tool to run search and replace queries on your WordPress database, with full serialization and multisite support.

0 No CVEs
Go Live Update Urls

Go Live Update Urls

go-live-update-urls

A
100

Change the domain on your site with one click.

80K No CVEs
Search & Replace Everything by WPCode – Find and Replace Media, Text, Links, and More

Search & Replace Everything by WPCode – Find and Replace Media, Text, Links, and More

search-replace-wpcode

A
100

Search and Replace everything in WordPress. Easily find and replace media, images, text, links and more with a single click using a simple user interf &hellip;

20K No CVEs
Developer Profile

Better Find and Replace – AI-Powered Suggestions Developer Profile

CodeSolz

2 plugins · 50K total installs

56
trust score
Avg Security Score
67/100
Avg Patch Time
217 days
View full developer profile
Detection Fingerprints

How We Detect Better Find and Replace – AI-Powered Suggestions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/real-time-auto-find-and-replace/assets/js/rtafar.admin.global.min.js/wp-content/plugins/real-time-auto-find-and-replace/assets/css/rtafar-admin-global-style.min.css
Script Paths
/wp-content/plugins/real-time-auto-find-and-replace/assets/js/rtafar.admin.global.min.js
Version Parameters
rtafar.admin.global.min.js?ver=rtafar-admin-global-style.min.css?ver=

HTML / DOM Fingerprints

Data Attributes
data-rtafr-admin-global-init
JS Globals
window.rtafr
FAQ

Frequently Asked Questions about Better Find and Replace – AI-Powered Suggestions