Skip to main content

WP Search Analytics EUVDEUVD-2026-31761

| CVE-2026-27357 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-prqp-27gf-5pxp
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:53 vuln.today
Patch available
May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Missing Authorization vulnerability in Cornel Raiu WP Search Analytics allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects WP Search Analytics: from n/a before 1.5.0.

AnalysisAI

Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.

Technical ContextAI

CWE-862 (Missing Authorization) describes a failure to verify whether the authenticated or unauthenticated caller has permission to perform a requested action before executing it. In the WordPress plugin ecosystem, this typically manifests as REST API endpoints, AJAX handlers, or admin actions that omit capability checks (e.g., current_user_can()) before processing requests. The affected product is confirmed via CPE string cpe:2.3:a:cornel_raiu:wp_search_analytics:*:*:*:*:*:*:*:*, covering all versions of the WP Search Analytics plugin by Cornel Raiu prior to 1.5.0. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the vulnerability is reachable over the network with no authentication and no user interaction required, consistent with an exposed WordPress plugin endpoint lacking proper access control enforcement.

RemediationAI

Vendor-released patch: version 1.5.0. WordPress site administrators running WP Search Analytics should update to version 1.5.0 or later immediately via the WordPress plugin dashboard or by downloading the updated release. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/search-analytics/vulnerability/wordpress-wp-search-analytics-plugin-1-5-0-broken-access-control-vulnerability confirms the fix is included in 1.5.0. If immediate patching is not possible, a compensating control would be to use a WordPress security plugin (such as Patchstack or Wordfence) that provides virtual patching or firewall rules to block unauthorized access to the specific plugin endpoints; however, this introduces a dependency on third-party firewall rule accuracy and does not eliminate the underlying flaw. Alternatively, temporarily deactivating the WP Search Analytics plugin until patching is feasible eliminates the attack surface entirely, at the cost of losing search analytics functionality.

Share

EUVD-2026-31761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy