Description
Missing Authorization vulnerability in Damian Góra FiboSearch ajax-search-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiboSearch: from n/a through <= 1.32.1.
Published: 2025-08-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrectly configured access control settings within the FiboSearch plugin. This flaw can enable unauthorized users to access functionality or data that should be restricted, potentially exposing sensitive content or allowing misuse of search features. The weakness is identified as a classic broken access control (CWE-862).

Affected Systems

All installations of the WordPress FiboSearch plugin developed by Damian Gśóra, from the earliest releases up through version 1.32.1, are affected. No later versions are specified as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the medium severity range, although the EPSS score of less than 1% indicates that the likelihood of exploitation is currently very low. The vulnerability is not listed in CISA’s KEV catalog. Based on the plugin’s nature, the likely attack vector involves web requests to the plugin’s endpoints; no explicit high‑level privileges are required to launch an exploit, but the lack of proper authentication checks allows attackers to use the features meant only for authorized users.

Generated by OpenCVE AI on April 30, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress FiboSearch plugin to the latest version (at least 1.32.2) where the access control issue is fixed.
  • If an upgrade is not immediately possible, remove or deactivate the plugin to eliminate the risk until a patch can be applied.
  • After remediation, review and configure the plugin’s access control settings to ensure that only authorized users can access search functionality, thereby preventing future configuration errors.

Generated by OpenCVE AI on April 30, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24228 Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1. Missing Authorization vulnerability in Damian Góra FiboSearch ajax-search-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiboSearch: from n/a through <= 1.32.1.
Title WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure WordPress FiboSearch plugin <= 1.32.1 - Broken Access Control vulnerability
Weaknesses CWE-201 CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 12 Aug 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Liquidweb
Liquidweb givewp
Wordpress
Wordpress wordpress
Vendors & Products Liquidweb
Liquidweb givewp
Wordpress
Wordpress wordpress

Tue, 12 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 Aug 2025 06:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1.
Title WordPress GiveWP Plugin < 4.6.1 is vulnerable to Sensitive Data (PII) Exposure
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Liquidweb Givewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:40.879Z

Reserved: 2025-05-07T09:38:32.079Z

Link: CVE-2025-47444

cve-icon Vulnrichment

Updated: 2025-08-12T13:21:15.259Z

cve-icon NVD

Status : Deferred

Published: 2025-08-12T07:15:28.907

Modified: 2026-04-23T15:30:13.597

Link: CVE-2025-47444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:45:26Z

Weaknesses