Description
The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin's stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name).
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SearchPlus, a WordPress plugin, contains missing capability checks and nonce validation in the functions handling the AJAX actions searchplus_save_token and searchplus_reset_token. This flaw allows an attacker to overwrite or delete the plugin’s stored options that hold account tokens and names. The result is unauthorized modification of configuration data, which can disrupt the plugin’s operation and expose stored credentials. The underlying weakness is a missing authorization control (CWE-862).

Affected Systems

All WordPress installations running SearchPlus version 1.7.1 or earlier are affected. The vulnerability specifically targets the option keys dym_token, dym_name, searchplus_token, searchplus_name, sp_token, and sp_name, which are stored by the plugin. Sites using earlier versions of SearchPlus are therefore at risk.

Risk and Exploitability

The reported CVSS score of 5.3 indicates moderate severity. The likely attack vector is a simple unauthenticated HTTP request to the wp-admin/admin-ajax.php endpoint with the action parameter set to searchplus_save_token or searchplus_reset_token. Because the plugin does not validate the user’s capability or verify a nonce, the attacker can issue the request from any network location. EPSS data is not available, which means the exploitation probability is not quantified, and the vulnerability is not currently listed in CISA’s KEV catalog. However, the ease of exploitation and potential to compromise stored tokens mean that the risk remains tangible for sites that rely on SearchPlus for authentication services.

Generated by OpenCVE AI on June 24, 2026 at 09:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SearchPlus to a version that includes proper capability checks and nonce validation for the affected AJAX actions.
  • If an upgrade is not immediately possible, remove or disable the wp_ajax_nopriv_searchplus_save_token and wp_ajax_nopriv_searchplus_reset_token hooks by adding a capability check in a custom plugin or theme’s functions.php file.
  • Restrict public access to wp-admin/admin-ajax.php, ensuring that only authenticated users can reach the plugin’s AJAX endpoints, by configuring web server rules or using a security plugin.

Generated by OpenCVE AI on June 24, 2026 at 09:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Ailchev
Ailchev searchplus
Wordpress
Wordpress wordpress
Vendors & Products Ailchev
Ailchev searchplus
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin's stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name).
Title SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token & searchplus_reset_token AJAX Actions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Ailchev Searchplus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-25T13:32:13.928Z

Reserved: 2026-05-14T17:38:56.751Z

Link: CVE-2026-8617

cve-icon Vulnrichment

Updated: 2026-06-25T13:31:50.645Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:04:45Z

Weaknesses