Skip to main content

Search Go CVE-2026-24971

| EUVDEUVD-2026-15582 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-8c94-wrf9-4fvc
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15582
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go searchgo allows Privilege Escalation.This issue affects Search & Go: from n/a through <= 2.8.

AnalysisAI

Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.

Technical ContextAI

The Search & Go WordPress theme (cpe:2.3:a:elated-themes:search_&_go:*:*:*:*:*:*:*:*) implements user role and capability checks incorrectly, falling under the CWE-266 classification (Incorrect Privilege Assignment). This root cause class describes flaws where a software component assigns excessive privileges to users or processes, or fails to properly validate privilege boundaries before granting access to sensitive functions. In WordPress theme architecture, this typically manifests as inadequate checks on user roles before executing administrative actions, allowing lower-privileged users (subscribers, contributors) to perform restricted operations. The vulnerability affects the core theme functionality through version 2.8 and earlier, suggesting the flaw exists in fundamental privilege-checking routines used across multiple theme features.

RemediationAI

Upgrade Elated-Themes Search & Go to a version newer than 2.8 immediately if available from the vendor. Check the Patchstack database and the official Elated-Themes website for patched versions and detailed upgrade instructions. If a patch is not yet available, implement WordPress-level access controls by restricting user registration, enforcing strong authentication plugins (such as Wordfence or iThemes Security), and limiting administrative role assignments to trusted users only. Additionally, audit current user roles and capabilities using WordPress security plugins to identify any unauthorized privilege grants that may have resulted from prior exploitation. Monitor WordPress security update channels and Patchstack for patch availability notifications specific to Search & Go.

Share

CVE-2026-24971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy