SearchPlus Security & Risk Analysis

wordpress.org/plugins/searchplus

Upgrades you search box to a fast and modern navigation utility.

10 active installs v1.7.1 PHP 7.0+ WP 4.6+ Updated Aug 13, 2025
autocomplete-type-aheadsearchsuggestionstransliterationvoice
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEJun 23, 2026
Safety Verdict

Is SearchPlus Safe to Use in 2026?

Mostly Safe

Score 78/100

SearchPlus is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Jun 23, 2026Updated 11mo ago
Risk Assessment

The SearchPlus plugin version 1.7.1 exhibits a concerning security posture due to a significant number of unprotected entry points. All six identified AJAX handlers lack any form of authentication or capability checks. This creates a wide attack surface where any authenticated user, potentially even a subscriber, could trigger these handlers, leading to unintended actions or data manipulation. While the plugin does not utilize dangerous functions, conduct raw SQL queries without prepared statements, or make external HTTP requests, the absence of basic security measures on its AJAX endpoints is a critical oversight. The taint analysis identified flows with unsanitized paths, which, when combined with unprotected AJAX handlers, could potentially be exploited if malicious input is passed through these paths. The plugin's history of zero known vulnerabilities might suggest a lack of prior exploitation or a recently introduced set of issues, but it does not mitigate the current risks identified in the static analysis. The lack of proper output escaping on over half of the identified outputs also presents a Cross-Site Scripting (XSS) risk. Overall, while the absence of certain common vulnerabilities is positive, the critical flaw of unprotected AJAX endpoints and potential unsanitized paths demands immediate attention.

Key Concerns

  • AJAX handlers without auth checks
  • Unsanitized paths in taint analysis
  • Insufficient output escaping
  • No nonce checks
  • No capability checks
Vulnerabilities
1 published

SearchPlus Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8617medium · 5.3Missing Authorization

SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token & searchplus_reset_token AJAX Actions

Jun 23, 2026Unpatched
Version History

SearchPlus Release Timeline

v1.7.1Current1 CVE
v1.71 CVE
v1.61 CVE
v1.5.11 CVE
v1.51 CVE
v1.41 CVE
v1.31 CVE
v1.21 CVE
v1.11 CVE
v1.01 CVE
Code Analysis
Analyzed Mar 16, 2026

SearchPlus Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
7 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

54% escaped13 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
searchplus_save_token_action_callback (includes\functions.php:24)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

SearchPlus Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

noprivwp_ajax_searchplus_save_tokenincludes\functions.php:39
authwp_ajax_searchplus_save_tokenincludes\functions.php:40
noprivwp_ajax_searchplus_reset_tokenincludes\functions.php:57
authwp_ajax_searchplus_reset_tokenincludes\functions.php:58
noprivwp_ajax_searchplus_account_tokenincludes\functions.php:74
authwp_ajax_searchplus_account_tokenincludes\functions.php:75
WordPress Hooks 4
actionadmin_footerincludes\page_account.php:190
actionwp_enqueue_scriptssearchplus.php:88
actionadmin_enqueue_scriptssearchplus.php:98
actionadmin_menusearchplus.php:108
Maintenance & Trust

SearchPlus Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 13, 2025
PHP min version7.0
Downloads3K

Community Trust

Rating100/100
Number of ratings2
Active installs10
Developer Profile

SearchPlus Developer Profile

ailchev

1 plugin · 10 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect SearchPlus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/searchplus/assets/js/bootstrap.min-5.2.2.js/wp-content/plugins/searchplus/assets/css/bootstrap.min-5.2.2.css/wp-content/plugins/searchplus/sp-wp.js
Script Paths
https://searchplus.pro/sp.js
Version Parameters
searchplus_bootstrap_jssearchplus_bootstrap_csssearchplus_jssearchplus_wp_js

HTML / DOM Fingerprints

JS Globals
SP
FAQ

Frequently Asked Questions about SearchPlus