WP-Safety

Search Everything Security & Risk Analysis

wordpress.org/plugins/search-everything

Search Everything increases WordPress' default search functionality in three easy steps.

10K active installs v8.1.9 PHP + WP 3.6+ Updated Nov 28, 2017
category-exclusioncategory-searchsearchsearch-highlighttag-search
81
B · Generally Safe
CVEs total4
Unpatched0
Last CVEMar 20, 2017
Plugin page Download
Safety Verdict

Is Search Everything Safe to Use in 2026?

Mostly Safe

Score 81/100

Search Everything is generally safe to use though it hasn't been updated recently. 4 past CVEs were resolved.

4 known CVEsLast CVE: Mar 20, 2017Updated 8yr ago
Risk Assessment

The "search-everything" plugin v8.1.9 exhibits a mixed security posture. While it demonstrates good practices in its handling of SQL queries, utilizing prepared statements exclusively, and includes some nonce and capability checks, significant concerns arise from its attack surface and code analysis.

The plugin has a single unprotected AJAX handler, representing a direct entry point for unauthenticated attackers. Furthermore, the static analysis reveals a dangerous function (`create_function`) which is a known vector for code injection vulnerabilities. The taint analysis, though limited in scope, identified flows with unsanitized paths, indicating a potential for sensitive data to be manipulated or exposed if exploited, although no critical or high severity issues were found in this specific analysis.

The plugin's vulnerability history is particularly concerning. With four known CVEs, three of which are critical, and a common pattern of SQL injection and CSRF vulnerabilities, this indicates a recurring problem with securing input and preventing malicious actions. The fact that all previously reported critical vulnerabilities are now patched is a positive sign, but the historical trend highlights a need for more robust security measures.

In conclusion, while the plugin has made improvements in areas like SQL statement preparation, the presence of unprotected entry points, the use of dangerous functions, and a history of critical vulnerabilities necessitate a cautious approach. The risk is elevated due to the potential for attackers to leverage the unprotected AJAX handler and the historical patterns of severe security flaws.

Key Concerns

  • Unprotected AJAX handler
  • Use of dangerous function: create_function
  • Flows with unsanitized paths
  • Vulnerability history: 3 critical CVEs
  • Vulnerability history: 1 medium CVE
  • Low percentage of properly escaped output
Vulnerabilities
4 published

Search Everything Security Vulnerabilities

CVEs by Year

2 CVEs in 2014
2014
1 CVE in 2016
2016
1 CVE in 2017
2017
Patched Has unpatched

Severity Breakdown

Critical
3
Medium
1

4 total CVEs

CVE-2017-18571critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Search Everything <= 8.1.6 - SQL Injection

Mar 20, 2017 Patched in 8.1.7 (2500d)
CVE-2016-10917critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Search Everything <= 8.1.5 - SQL Injection

Jun 10, 2016 Patched in 8.1.6 (2783d)
CVE-2014-3843medium · 4.3Cross-Site Request Forgery (CSRF)

Search Everything <= 8.1 - Cross-Site Request Forgery

May 6, 2014 Patched in 8.1.1 (3549d)
CVE-2014-2316critical · 9.1Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Search Everything <= 7.0.2 - SQL Injection

Feb 11, 2014 Patched in 7.0.3 (3633d)
Version History

Search Everything Release Timeline

v8.1.9Current
v8.1.8
v8.1.7
v8.1.61 CVE
CVE-2017-18571
v8.1.52 CVEs
CVE-2016-10917 CVE-2017-18571
v8.1.42 CVEs
CVE-2016-10917 CVE-2017-18571
v8.1.32 CVEs
CVE-2016-10917 CVE-2017-18571
v8.1.22 CVEs
CVE-2016-10917 CVE-2017-18571
v8.1.12 CVEs
CVE-2016-10917 CVE-2017-18571
v8.13 CVEs
CVE-2016-10917 CVE-2014-3843 CVE-2017-18571
v83 CVEs
CVE-2016-10917 CVE-2014-3843 CVE-2017-18571
v7.0.43 CVEs
CVE-2016-10917 CVE-2014-3843 CVE-2017-18571
v7.0.33 CVEs
CVE-2016-10917 CVE-2014-3843 CVE-2017-18571
v7.0.24 CVEs
CVE-2014-2316 CVE-2016-10917 CVE-2014-3843 +1 more
v7.0.14 CVEs
CVE-2014-2316 CVE-2016-10917 CVE-2014-3843 +1 more
v74 CVEs
CVE-2014-2316 CVE-2016-10917 CVE-2014-3843 +1 more
v6.9.4.14 CVEs
CVE-2014-2316 CVE-2016-10917 CVE-2014-3843 +1 more
v6.9.44 CVEs
CVE-2014-2316 CVE-2016-10917 CVE-2014-3843 +1 more
v6.9.3.14 CVEs
CVE-2014-2316 CVE-2016-10917 CVE-2014-3843 +1 more
v6.9.34 CVEs
CVE-2014-2316 CVE-2016-10917 CVE-2014-3843 +1 more
Code Analysis
Analyzed Mar 16, 2026

Search Everything Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
17 prepared
Unescaped Output
14
1 escaped
Nonce Checks
2
Capability Checks
3
File Operations
2
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

create_function$search_terms = array_filter(array_map( create_function( '$a', 'return trim($a, "\\"\'\\n\\r ");' ),search-everything.php:236

SQL Query Safety

100% prepared17 total queries

Output Escaping

7% escaped15 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
se_option_page (options.php:118)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Search Everything Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_search_everythingsearch-everything.php:850
WordPress Hooks 27
actionadmin_initoptions.php:16
actionadmin_enqueue_scriptsoptions.php:19
actionadmin_menuoptions.php:20
actionadd_meta_boxesoptions.php:23
actionall_admin_noticesoptions.php:31
actionwp_loadedsearch-everything.php:49
actionadmin_headsearch-everything.php:65
actionwp_headsearch-everything.php:70
actionall_admin_noticessearch-everything.php:92
filterthe_contentsearch-everything.php:139
filterthe_titlesearch-everything.php:140
filterthe_excerptsearch-everything.php:141
filterposts_joinsearch-everything.php:149
filterposts_wheresearch-everything.php:162
filterposts_joinsearch-everything.php:171
filtercomment_textsearch-everything.php:175
filterposts_wheresearch-everything.php:180
filterposts_wheresearch-everything.php:185
filterposts_joinsearch-everything.php:190
filterposts_joinsearch-everything.php:201
filterposts_joinsearch-everything.php:207
filterposts_searchsearch-everything.php:211
filterposts_wheresearch-everything.php:213
filterposts_requestsearch-everything.php:215
filterposts_wheresearch-everything.php:217
filterposts_requestsearch-everything.php:219
actionpublish_postsearch-everything.php:935
Maintenance & Trust

Search Everything Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.33
Last updatedNov 28, 2017
PHP min version
Downloads1.3M

Community Trust

Rating82/100
Number of ratings86
Active installs10K
Alternatives

Search Everything Alternatives

Combined Search

Combined Search

combined-search

A
85

Forked from the popular WordPress Search Everything plugin, Combined Search allows you to search all available content types on your web site.

10 No CVEs
WP Extended Search

WP Extended Search

wp-extended-search

A
100

Extend search functionality to search in selected post meta, taxonomies, post types, and all authors.

20K 1 CVE
EchBay Search Everything

EchBay Search Everything

echbay-search-everything

A
100

Search Everything increases WordPress' default search functionality in three easy steps.

300 No CVEs
Advance Product Search- Voice & Ajax Search for WooCommerce

Advance Product Search- Voice & Ajax Search for WooCommerce

th-advance-product-search

A
99

Advanced Product Search boosts your store search with instant AJAX results, live suggestions, and smart category filtering, helping customers find pro &hellip;

10K 3 CVEs
GA Admin Taxonomy Search

GA Admin Taxonomy Search

ga-admin-taxonomy-search

A
92

Make it easy to search/filter items in your admin categories meta box.

400 No CVEs
Developer Profile

Search Everything Developer Profile

Sovrn

2 plugins · 10K total installs

67
trust score
Avg Security Score
83/100
Avg Patch Time
3116 days
View full developer profile
Detection Fingerprints

How We Detect Search Everything

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/search-everything/css/style.css/wp-content/plugins/search-everything/css/admin.css/wp-content/plugins/search-everything/css/jquery.autocomplete.css/wp-content/plugins/search-everything/js/se-admin.js/wp-content/plugins/search-everything/js/se-admin-options.js/wp-content/plugins/search-everything/js/se-admin-metabox.js/wp-content/plugins/search-everything/js/se-admin-save.js/wp-content/plugins/search-everything/js/se-admin-autocomplete.js+1 more
Script Paths
https://ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.jshttps://ajax.googleapis.com/ajax/libs/jqueryui/1.9.1/jquery-ui.min.js
Version Parameters
search-everything/css/style.css?ver=search-everything/css/admin.css?ver=search-everything/css/jquery.autocomplete.css?ver=search-everything/js/se-admin.js?ver=search-everything/js/se-admin-options.js?ver=search-everything/js/se-admin-metabox.js?ver=search-everything/js/se-admin-save.js?ver=search-everything/js/se-admin-autocomplete.js?ver=search-everything/js/se-admin-search-fields.js?ver=

HTML / DOM Fingerprints

CSS Classes
se-admin-field-wrapse-optionsse-metaboxsearch-everything-containerse-search-filter-wrap
HTML Comments
<!-- Search Everything Admin Options --><!-- Search Everything Admin Metabox --><!-- Search Everything Global Notice -->
Data Attributes
data-se-optionsdata-se-metaboxdata-se-search-fields
JS Globals
se_admin_autocomplete_params
FAQ

Frequently Asked Questions about Search Everything