Description
Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows a malicious site to craft a URL or form which, when visited or submitted by a logged‑in administrator of a WordPress site running WP SEO Search, could cause the site to perform state‑changing actions without the user's consent. This weakness is identified as CWE‑352 and enables an attacker to potentially alter plugin settings or perform other privileged actions on the site, compromising the integrity of the site’s configuration.

Affected Systems

The affected product is the WP SEO Search plugin by Angel Costa, versions from the earliest available up to and including 1.1. Any WordPress site using one of these versions is susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to lure an authenticated user to a crafted page; the breach requires the victim to be logged in with sufficient privileges to access the plugin’s administrative functions.

Generated by OpenCVE AI on April 29, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest WP SEO Search plugin version that includes the CSRF fix if one is available.
  • If no update has been released, disable or uninstall the plugin to eliminate the exposed functionality.
  • Limit administrative access to trusted users and ensure server‑side CSRF token validation for any state‑changing requests performed by the plugin.

Generated by OpenCVE AI on April 29, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1.
Title WordPress WP SEO Search plugin <= 1.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:26:00.244Z

Reserved: 2025-12-09T16:46:50.744Z

Link: CVE-2025-67626

cve-icon Vulnrichment

Updated: 2026-01-29T01:06:50.864Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:02.333

Modified: 2026-06-17T09:57:56.620

Link: CVE-2025-67626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)