CVE-2025-2821

The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to modify plugin settings, excluding content from search results.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/search-exclude/tags/2.4.6/lib/api/entities/settings/class-post.php#L42
https://plugins.trac.wordpress.org/changeset/3284798/
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f72a309-8ef8-4943-8e64-38bb7909397a?source=cve

Configurations

No configuration.

History

07 May 2025, 14:13

Type	Values Removed	Values Added
Summary		(es) El complemento Search Exclude para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de una comprobación de capacidad en la función get_rest_permission en todas las versiones hasta la 2.4.9 incluida. Esto permite que atacantes no autenticados modifiquen la configuración del complemento, excluyendo contenido de los resultados de búsqueda.

07 May 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-07 03:15

Updated : 2025-05-07 14:13

NVD link : CVE-2025-2821

Mitre link : CVE-2025-2821

CVE.ORG link : CVE-2025-2821

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

5.3 /10