Skip to main content

Searchplus

1 CVEs product

Monthly

CVE-2026-8617 MEDIUM This Month

Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.

Authentication Bypass WordPress Searchplus
NVD
CVSS 3.1
5.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.

Authentication Bypass WordPress Searchplus
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy