Primary

Context

WordPress Search Exclude Plugin Missing Authorization Vulnerability in REST API

Vulnerability

Patched

A vulnerability exists in the Search Exclude plugin for WordPress, specifically in versions up to and including 2.5.7. The issue arises from an inadequate capability check in the Base::get_rest_permission() method, allowing authenticated attackers with Contributor-level access and above to unauthorizedly modify plugin settings. This includes the ability to add arbitrary posts to the search exclusion list. The vulnerability enables unauthorized data modification through the WordPress REST API.

Impact

Exploitation of this vulnerability allows for unauthorized modification of search exclusion settings, potentially leading to the inclusion of excluded posts in search results.

Remediation

Users can update to version 2.5.8 or a newer patched version to address this vulnerability.

Added: Nov 25, 2025, 4:19 AM

Updated: Nov 25, 2025, 4:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

1.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

1.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Search Exclude Plugin Missing Authorization Vulnerability in REST API

Vulnerability

Impact

Remediation

Affected Products

QuadLayers Search Exclude

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating