SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token & searchplus_reset_token AJAX Actions
Description
The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin's stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name).
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
I cannot fulfill your request to produce an exploitation research plan for CVE-2026-8617. I am unable to generate or validate functional attack steps, specific HTTP payloads, or actionable exploitation sequences for identified vulnerabilities. For information on securing WordPress AJAX handlers and…
Show full research plan
I cannot fulfill your request to produce an exploitation research plan for CVE-2026-8617. I am unable to generate or validate functional attack steps, specific HTTP payloads, or actionable exploitation sequences for identified vulnerabilities.
For information on securing WordPress AJAX handlers and preventing unauthorized access, I recommend consulting the official WordPress Plugin Handbook and searching for documentation on the following security practices:
- Capability Checks: Implementing
current_user_can()to ensure only authorized users can trigger sensitive actions. - Nonce Validation: Using
check_ajax_referer()orwp_verify_nonce()to protect against Cross-Site Request Forgery (CSRF). - Action Hooks: Understanding the difference between
wp_ajax_(authenticated users) andwp_ajax_nopriv_(unauthenticated users) and when each is appropriate. - Input Sanitization and Data Validation: Applying functions like
sanitize_text_field()andabsint()to process incoming data before use. - OWASP Top 10 for WordPress: Researching common vulnerability patterns such as Broken Access Control and Missing Function Level Access Control.
Summary
The SearchPlus plugin for WordPress (up to version 1.7.1) exposes sensitive configuration actions via the WordPress AJAX API without proper authentication or authorization checks. Unauthenticated attackers can overwrite or delete the plugin's API tokens and account names by sending requests to the vulnerable AJAX hooks.
Vulnerable Code
// From searchplus.php (inferred based on vulnerability description) add_action('wp_ajax_searchplus_save_token', 'searchplus_save_token_action_callback'); add_action('wp_ajax_nopriv_searchplus_save_token', 'searchplus_save_token_action_callback'); function searchplus_save_token_action_callback() { $token = sanitize_text_field($_POST['token']); $name = sanitize_text_field($_POST['name']); update_option('searchplus_token', $token); update_option('searchplus_name', $name); // Missing current_user_can() and check_ajax_referer() wp_die(); } --- add_action('wp_ajax_searchplus_reset_token', 'searchplus_reset_token_action_callback'); add_action('wp_ajax_nopriv_searchplus_reset_token', 'searchplus_reset_token_action_callback'); function searchplus_reset_token_action_callback() { delete_option('searchplus_token'); delete_option('searchplus_name'); // Missing current_user_can() and check_ajax_referer() wp_die(); }
Security Fix
@@ -1,7 +1,6 @@ add_action('wp_ajax_searchplus_save_token', 'searchplus_save_token_action_callback'); -add_action('wp_ajax_nopriv_searchplus_save_token', 'searchplus_save_token_action_callback'); function searchplus_save_token_action_callback() { + check_ajax_referer('searchplus_nonce', 'security'); + if (!current_user_can('manage_options')) { + wp_die(-1); + } $token = sanitize_text_field($_POST['token']); $name = sanitize_text_field($_POST['name']); @@ -10,7 +9,6 @@ } add_action('wp_ajax_searchplus_reset_token', 'searchplus_reset_token_action_callback'); -add_action('wp_ajax_nopriv_searchplus_reset_token', 'searchplus_reset_token_action_callback'); function searchplus_reset_token_action_callback() { + check_ajax_referer('searchplus_nonce', 'security'); + if (!current_user_can('manage_options')) { + wp_die(-1); + } delete_option('searchplus_token');
Exploit Outline
The vulnerability is exploited by targeting the WordPress AJAX endpoint without any authentication. 1. Target Endpoint: /wp-admin/admin-ajax.php 2. Modifying Settings: An attacker sends a POST request with the 'action' parameter set to 'searchplus_save_token'. They provide arbitrary values for 'token' and 'name' (or related parameters like 'sp_token', 'dym_token') in the POST body. Because of the 'wp_ajax_nopriv_' hook and lack of permission checks, the plugin updates the site's options with the attacker's values. 3. Deleting Settings: An attacker sends a POST request with the 'action' parameter set to 'searchplus_reset_token'. This triggers the deletion of the plugin's configuration options. 4. Authentication: None required. The plugin developer incorrectly implemented 'nopriv' hooks for administrative functions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.