Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go searchgo allows Privilege Escalation.This issue affects Search & Go: from n/a through <= 2.8.
AnalysisAI
Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.
Technical ContextAI
The Search & Go WordPress theme (cpe:2.3:a:elated-themes:search_&_go:*:*:*:*:*:*:*:*) implements user role and capability checks incorrectly, falling under the CWE-266 classification (Incorrect Privilege Assignment). This root cause class describes flaws where a software component assigns excessive privileges to users or processes, or fails to properly validate privilege boundaries before granting access to sensitive functions. In WordPress theme architecture, this typically manifests as inadequate checks on user roles before executing administrative actions, allowing lower-privileged users (subscribers, contributors) to perform restricted operations. The vulnerability affects the core theme functionality through version 2.8 and earlier, suggesting the flaw exists in fundamental privilege-checking routines used across multiple theme features.
RemediationAI
Upgrade Elated-Themes Search & Go to a version newer than 2.8 immediately if available from the vendor. Check the Patchstack database and the official Elated-Themes website for patched versions and detailed upgrade instructions. If a patch is not yet available, implement WordPress-level access controls by restricting user registration, enforcing strong authentication plugins (such as Wordfence or iThemes Security), and limiting administrative role assignments to trusted users only. Additionally, audit current user roles and capabilities using WordPress security plugins to identify any unauthorized privilege grants that may have resulted from prior exploitation. Monitor WordPress security update channels and Patchstack for patch availability notifications specific to Search & Go.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15582
GHSA-8c94-wrf9-4fvc