Description
The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled. CVE-2025-62064 is likely a duplicate of this CVE.
Published: 2025-10-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover with potential privilege escalation
Action: Patch immediately
AI Analysis

Impact

The theme contains a flaw in the function that validates Facebook users, allowing attackers to bypass authentication. An unauthenticated actor can log in as any user, including administrators, therefore gaining full control of the site. The weakness directly violates authentication control and can lead to unauthorized data access, deletion, or site takeover.

Affected Systems

WordPress sites using the Elated-Themes Search & Go - Directory WordPress Theme version 2.7 or earlier are affected. The vulnerability is present in all releases of the theme up to and including 2.7.

Risk and Exploitability

The CVSS score of 9.8 marks this issue as critical. The EPSS score of < 1% indicates that exploitation is currently considered rare, yet the vulnerability can be exploited remotely by simply sending a crafted request when Facebook login is enabled. The vulnerability is not listed in CISA’s KEV catalog, but its high severity and authentication bypass make it a high‑risk target if the theme is in use.

Generated by OpenCVE AI on April 21, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Search & Go theme to the latest version that removes the incomplete Facebook user validation.
  • If immediate theme upgrade is not possible, disable the Facebook login feature to remove the attack vector.
  • Monitor site logs for unusual authentication patterns and consider deploying a web application firewall rule that blocks suspicious requests targeting the Facebook login endpoint.

Generated by OpenCVE AI on April 21, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled. The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled. CVE-2025-62064 is likely a duplicate of this CVE.

Thu, 09 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes search And Go Directory
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes search And Go Directory
Wordpress
Wordpress wordpress

Thu, 09 Oct 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled.
Title Search & Go - Directory WordPress Theme <= 2.7 - Authentication Bypass to Privilege Escalation via Account Takeover
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Elated-themes Search And Go Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:19.113Z

Reserved: 2025-10-08T19:02:40.089Z

Link: CVE-2025-11522

cve-icon Vulnrichment

Updated: 2025-10-09T15:17:27.526Z

cve-icon NVD

Status : Deferred

Published: 2025-10-09T08:15:38.250

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses