Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Cornel Raiu WP Search Analytics allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects WP Search Analytics: from n/a before 1.5.0.
AnalysisAI
Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.
Technical ContextAI
CWE-862 (Missing Authorization) describes a failure to verify whether the authenticated or unauthenticated caller has permission to perform a requested action before executing it. In the WordPress plugin ecosystem, this typically manifests as REST API endpoints, AJAX handlers, or admin actions that omit capability checks (e.g., current_user_can()) before processing requests. The affected product is confirmed via CPE string cpe:2.3:a:cornel_raiu:wp_search_analytics:*:*:*:*:*:*:*:*, covering all versions of the WP Search Analytics plugin by Cornel Raiu prior to 1.5.0. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the vulnerability is reachable over the network with no authentication and no user interaction required, consistent with an exposed WordPress plugin endpoint lacking proper access control enforcement.
RemediationAI
Vendor-released patch: version 1.5.0. WordPress site administrators running WP Search Analytics should update to version 1.5.0 or later immediately via the WordPress plugin dashboard or by downloading the updated release. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/search-analytics/vulnerability/wordpress-wp-search-analytics-plugin-1-5-0-broken-access-control-vulnerability confirms the fix is included in 1.5.0. If immediate patching is not possible, a compensating control would be to use a WordPress security plugin (such as Patchstack or Wordfence) that provides virtual patching or firewall rules to block unauthorized access to the specific plugin endpoints; however, this introduces a dependency on third-party firewall rule accuracy and does not eliminate the underlying flaw. Alternatively, temporarily deactivating the WP Search Analytics plugin until patching is feasible eliminates the attack surface entirely, at the cost of losing search analytics functionality.
More in Wp Search Analytics
View allThe WP Search Analytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31761
GHSA-prqp-27gf-5pxp