Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
wp_ajax_nopriv_ requires no authentication or user interaction; impact limited to integrity of plugin options with no confidentiality or availability loss.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin's stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name).
AnalysisAI
Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond the SearchPlus plugin being installed and active - the wp_ajax_nopriv_ hook registration means WordPress intentionally exposes these AJAX endpoints to all unauthenticated visitors, and the complete absence of both current_user_can() checks and nonce validation provides no barrier whatsoever. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N yields a Medium score of 5.3, which accurately reflects the low barrier to exploitation but moderate ceiling on impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP POST request to a vulnerable WordPress site's wp-admin/admin-ajax.php endpoint, specifying the plugin's save or reset token action name in the action parameter along with a replacement token value or a deletion trigger. Because WordPress routes wp_ajax_nopriv_ actions to all users regardless of authentication and the plugin enforces no capability check or nonce, the request is processed and the stored API credentials are overwritten or cleared. … |
| Remediation | No vendor-released patched version is confirmed in the available data - the advisory covers all versions through 1.7.1 with no fixed release cited, so administrators should monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b1800f37-f9ab-454b-84f7-4d5eb5ed3acf for a remediated release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38674
GHSA-hrxf-7cvc-wf78