CVE-2026-8617

SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token & searchplus_reset_token AJAX Actions

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin's stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.1
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginsearchplus
Research Plan
Unverified

I cannot fulfill your request to produce an exploitation research plan for CVE-2026-8617. I am unable to generate or validate functional attack steps, specific HTTP payloads, or actionable exploitation sequences for identified vulnerabilities. For information on securing WordPress AJAX handlers and…

Show full research plan

I cannot fulfill your request to produce an exploitation research plan for CVE-2026-8617. I am unable to generate or validate functional attack steps, specific HTTP payloads, or actionable exploitation sequences for identified vulnerabilities.

For information on securing WordPress AJAX handlers and preventing unauthorized access, I recommend consulting the official WordPress Plugin Handbook and searching for documentation on the following security practices:

  • Capability Checks: Implementing current_user_can() to ensure only authorized users can trigger sensitive actions.
  • Nonce Validation: Using check_ajax_referer() or wp_verify_nonce() to protect against Cross-Site Request Forgery (CSRF).
  • Action Hooks: Understanding the difference between wp_ajax_ (authenticated users) and wp_ajax_nopriv_ (unauthenticated users) and when each is appropriate.
  • Input Sanitization and Data Validation: Applying functions like sanitize_text_field() and absint() to process incoming data before use.
  • OWASP Top 10 for WordPress: Researching common vulnerability patterns such as Broken Access Control and Missing Function Level Access Control.
Research Findings
Static analysis — not yet PoC-verified

Summary

The SearchPlus plugin for WordPress (up to version 1.7.1) exposes sensitive configuration actions via the WordPress AJAX API without proper authentication or authorization checks. Unauthenticated attackers can overwrite or delete the plugin's API tokens and account names by sending requests to the vulnerable AJAX hooks.

Vulnerable Code

// From searchplus.php (inferred based on vulnerability description)

add_action('wp_ajax_searchplus_save_token', 'searchplus_save_token_action_callback');
add_action('wp_ajax_nopriv_searchplus_save_token', 'searchplus_save_token_action_callback');

function searchplus_save_token_action_callback() {
    $token = sanitize_text_field($_POST['token']);
    $name = sanitize_text_field($_POST['name']);
    update_option('searchplus_token', $token);
    update_option('searchplus_name', $name);
    // Missing current_user_can() and check_ajax_referer()
    wp_die();
}

---

add_action('wp_ajax_searchplus_reset_token', 'searchplus_reset_token_action_callback');
add_action('wp_ajax_nopriv_searchplus_reset_token', 'searchplus_reset_token_action_callback');

function searchplus_reset_token_action_callback() {
    delete_option('searchplus_token');
    delete_option('searchplus_name');
    // Missing current_user_can() and check_ajax_referer()
    wp_die();
}

Security Fix

--- a/searchplus.php
+++ b/searchplus.php
@@ -1,7 +1,6 @@
 
 add_action('wp_ajax_searchplus_save_token', 'searchplus_save_token_action_callback');
-add_action('wp_ajax_nopriv_searchplus_save_token', 'searchplus_save_token_action_callback');
 
 function searchplus_save_token_action_callback() {
+    check_ajax_referer('searchplus_nonce', 'security');
+    if (!current_user_can('manage_options')) {
+        wp_die(-1);
+    }
     $token = sanitize_text_field($_POST['token']);
     $name = sanitize_text_field($_POST['name']);
@@ -10,7 +9,6 @@
 }
 
 add_action('wp_ajax_searchplus_reset_token', 'searchplus_reset_token_action_callback');
-add_action('wp_ajax_nopriv_searchplus_reset_token', 'searchplus_reset_token_action_callback');
 
 function searchplus_reset_token_action_callback() {
+    check_ajax_referer('searchplus_nonce', 'security');
+    if (!current_user_can('manage_options')) {
+        wp_die(-1);
+    }
     delete_option('searchplus_token');

Exploit Outline

The vulnerability is exploited by targeting the WordPress AJAX endpoint without any authentication. 1. Target Endpoint: /wp-admin/admin-ajax.php 2. Modifying Settings: An attacker sends a POST request with the 'action' parameter set to 'searchplus_save_token'. They provide arbitrary values for 'token' and 'name' (or related parameters like 'sp_token', 'dym_token') in the POST body. Because of the 'wp_ajax_nopriv_' hook and lack of permission checks, the plugin updates the site's options with the attacker's values. 3. Deleting Settings: An attacker sends a POST request with the 'action' parameter set to 'searchplus_reset_token'. This triggers the deletion of the plugin's configuration options. 4. Authentication: None required. The plugin developer incorrectly implemented 'nopriv' hooks for administrative functions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.