Skip to main content

SearchPlus WordPress Plugin CVE-2026-8617

| EUVDEUVD-2026-38674 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-hrxf-7cvc-wf78
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

wp_ajax_nopriv_ requires no authentication or user interaction; impact limited to integrity of plugin options with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:02 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin's stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name).

AnalysisAI

Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running active SearchPlus plugin
Delivery
Send unauthenticated POST to wp-admin/admin-ajax.php with plugin action name
Exploit
WordPress routes request via wp_ajax_nopriv_ with no authorization check
Execution
Overwrite stored API token with attacker-controlled value or trigger deletion
Impact
Plugin search feature disrupted or redirected to attacker account

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the SearchPlus plugin being installed and active - the wp_ajax_nopriv_ hook registration means WordPress intentionally exposes these AJAX endpoints to all unauthenticated visitors, and the complete absence of both current_user_can() checks and nonce validation provides no barrier whatsoever. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N yields a Medium score of 5.3, which accurately reflects the low barrier to exploitation but moderate ceiling on impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request to a vulnerable WordPress site's wp-admin/admin-ajax.php endpoint, specifying the plugin's save or reset token action name in the action parameter along with a replacement token value or a deletion trigger. Because WordPress routes wp_ajax_nopriv_ actions to all users regardless of authentication and the plugin enforces no capability check or nonce, the request is processed and the stored API credentials are overwritten or cleared. …
Remediation No vendor-released patched version is confirmed in the available data - the advisory covers all versions through 1.7.1 with no fixed release cited, so administrators should monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b1800f37-f9ab-454b-84f7-4d5eb5ed3acf for a remediated release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8617 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy