Description
Cross-Site Request Forgery (CSRF) vulnerability in Code Amp Search & Filter search-filter allows Cross Site Request Forgery.This issue affects Search & Filter: from n/a through <= 1.2.17.
Published: 2025-10-22
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Search & Filter plugin with versions up to 1.2.17 contains a Cross‑Site Request Forgery flaw that can be used to redirect a user to an arbitrary URL. The plugin fails to verify a CSRF token when processing certain requests, allowing an attacker to manipulate the redirect path. This enables the attacker to send users to phishing pages or malicious downloads. The weakness is classified as CWE‑352.

Affected Systems

Affected hosts are WordPress sites that have installed the Search & Filter plugin by Code Amp and are running any release with a version number <= 1.2.17. No other versions were impacted at the time of disclosure. The vulnerability can appear on any site that uses the plugin, regardless of the site’s size or user base.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity. The EPSS score is reported as < 1%, so the likelihood that this flaw is actively exploited in the wild is low. It is not listed in CISA’s KEV catalog. The likely attack vector is inferred from the description: an attacker needs to supply a malicious link or form that a user will interact with, and no special privileges are required. If a user follows such a link, the victim will be redirected to the attacker‑controlled site.

Generated by OpenCVE AI on April 29, 2026 at 23:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the Search & Filter plugin that includes the CSRF mitigation fix.
  • If an update is not yet available, remove or deactivate the Search & Filter plugin to prevent the flaw from being exploitable.
  • As a temporary safeguard, add a CSRF check such as verifying a WordPress nonce or the HTTP Referer header before allowing redirect requests to be processed.

Generated by OpenCVE AI on April 29, 2026 at 23:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Codeamp
Codeamp search & Filter
Wordpress
Wordpress wordpress
Vendors & Products Codeamp
Codeamp search & Filter
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Code Amp Search & Filter search-filter allows Cross Site Request Forgery.This issue affects Search & Filter: from n/a through <= 1.2.17.
Title WordPress Search & Filter plugin <= 1.2.17 - Cross Site Request Forgery (CSRF) to Open Redirect vulnerability
Weaknesses CWE-352
References

Subscriptions

Codeamp Search & Filter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:18:34.198Z

Reserved: 2025-05-15T17:54:35.011Z

Link: CVE-2025-48099

cve-icon Vulnrichment

Updated: 2025-10-22T20:00:06.267Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:34.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-48099

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses