{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10646", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-17T17:09:04.119Z", "datePublished": "2025-11-25T03:27:43.284Z", "dateUpdated": "2026-04-08T17:16:06.342Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:06.342Z"}, "affected": [{"vendor": "quadlayers", "product": "Search Exclude", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::get_rest_permission() method in all versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings, such as adding arbitrary posts to the search exclusion list."}], "title": "Search Exclude <= 2.5.7 \u2013 Missing Authorization to Authenticated (Contributor+) Search Settings Modification via REST API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f62d05-84fb-4cd6-9e5f-0dcfa305ce68?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3379004/search-exclude"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "timeline": [{"time": "2025-11-24T15:08:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:41:01.923623Z", "id": "CVE-2025-10646", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:41:11.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10646", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:41:01.923623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:41:07.828Z"}}], "cna": {"title": "Search Exclude <= 2.5.7 \u2013 Missing Authorization to Authenticated (Contributor+) Search Settings Modification via REST API", "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "quadlayers", "product": "Search Exclude", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T15:08:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f62d05-84fb-4cd6-9e5f-0dcfa305ce68?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3379004/search-exclude"}], "descriptions": [{"lang": "en", "value": "The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::get_rest_permission() method in all versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings, such as adding arbitrary posts to the search exclusion list."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:06.342Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10646", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:06.342Z", "dateReserved": "2025-09-17T17:09:04.119Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T03:27:43.284Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::get_rest_permission() method in all versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings, such as adding arbitrary posts to the search exclusion list."}], "id": "CVE-2025-10646", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T04:15:45.370", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3379004/search-exclude"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f62d05-84fb-4cd6-9e5f-0dcfa305ce68?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:00:43.642406+00:00", "value": {"mitigation_remediation": ["Update Search Exclude to the latest available version (or any release newer than 2.5.7).", "Limit the REST API access of Contributors by configuring role\u2011based access control or disabling the relevant endpoints for non\u2011admin users.", "Audit the search exclusion lists regularly for unexpected entries and revert any unauthorized changes promptly."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of Search Exclude plugin settings"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Search Exclude plugin (quadlayers:Search Exclude) version 2.5.7 or earlier are affected. No specific vendor or product name beyond the plugin itself is required, as the plugin is widely distributed in the WordPress plugin repository.", "description_and_impact": "The Search Exclude plugin does not validate user capability on its REST API endpoint, allowing any authenticated user with Contributor level or higher to modify the exclusion list. This flaw enables the attacker to add arbitrary posts to the search exclusion list, thereby altering the integrity of search results. The weakness corresponds to CWE\u2011862, an authorization bypass or improper privilege escalation vulnerability.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate severity, but the EPSS score of <1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalogue, and the attack can only be performed by authenticated users who possess at least Contributor rights. As the flaw requires legitimate login credentials and the capability to issue REST API requests, organizations with strict role-based access controls can limit the potential impact. Nevertheless, the ability to tamper with search exclusions could be leveraged to hide content from site visitors or search engines."}}}}, "created": "2025-11-26T11:11:15.933006+00:00", "updated": "2026-04-21T18:15:36.363057+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}