SearchPlus, a WordPress plugin, contains missing capability checks and nonce validation in the functions handling the AJAX actions searchplus_save_token and searchplus_reset_token. This flaw allows an attacker to overwrite or delete the plugin’s stored options that hold account tokens and names. The result is unauthorized modification of configuration data, which can disrupt the plugin’s operation and expose stored credentials. The underlying weakness is a missing authorization control (CWE-862).

All WordPress installations running SearchPlus version 1.7.1 or earlier are affected. The vulnerability specifically targets the option keys dym_token, dym_name, searchplus_token, searchplus_name, sp_token, and sp_name, which are stored by the plugin. Sites using earlier versions of SearchPlus are therefore at risk.

The reported CVSS score of 5.3 indicates moderate severity. The likely attack vector is a simple unauthenticated HTTP request to the wp-admin/admin-ajax.php endpoint with the action parameter set to searchplus_save_token or searchplus_reset_token. Because the plugin does not validate the user’s capability or verify a nonce, the attacker can issue the request from any network location. EPSS data is not available, which means the exploitation probability is not quantified, and the vulnerability is not currently listed in CISA’s KEV catalog. However, the ease of exploitation and potential to compromise stored tokens mean that the risk remains tangible for sites that rely on SearchPlus for authentication services.