{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2821", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-26T15:06:43.218Z", "datePublished": "2025-05-07T01:43:06.640Z", "dateUpdated": "2026-04-08T16:41:00.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:00.515Z"}, "affected": [{"vendor": "quadlayers", "product": "Search Exclude", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to modify plugin settings, excluding content from search results."}], "title": "Search Exclude <= 2.4.9 - Missing Authorization to Unauthenticated Plugin Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f72a309-8ef8-4943-8e64-38bb7909397a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/search-exclude/tags/2.4.6/lib/api/entities/settings/class-post.php#L42"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284798/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Noah Stead"}], "timeline": [{"time": "2025-03-20T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-06T12:55:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T13:47:47.047437Z", "id": "CVE-2025-2821", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T14:03:35.051Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2821", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T13:47:47.047437Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T13:47:49.134Z"}}], "cna": {"title": "Search Exclude <= 2.4.9 - Missing Authorization to Unauthenticated Plugin Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Noah Stead"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "quadlayers", "product": "Search Exclude", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-20T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-06T12:55:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f72a309-8ef8-4943-8e64-38bb7909397a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/search-exclude/tags/2.4.6/lib/api/entities/settings/class-post.php#L42"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284798/"}], "descriptions": [{"lang": "en", "value": "The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to modify plugin settings, excluding content from search results."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:00.515Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2821", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:00.515Z", "dateReserved": "2025-03-26T15:06:43.218Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-07T01:43:06.640Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to modify plugin settings, excluding content from search results."}, {"lang": "es", "value": "El complemento Search Exclude para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n get_rest_permission en todas las versiones hasta la 2.4.9 incluida. Esto permite que atacantes no autenticados modifiquen la configuraci\u00f3n del complemento, excluyendo contenido de los resultados de b\u00fasqueda."}], "id": "CVE-2025-2821", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-07T03:15:17.343", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/search-exclude/tags/2.4.6/lib/api/entities/settings/class-post.php#L42"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3284798/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f72a309-8ef8-4943-8e64-38bb7909397a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:24:12.739897+00:00", "value": {"mitigation_remediation": ["Update the Search Exclude plugin to the latest available version to remove the missing capability check.", "If an update is not immediately possible, disable the Search Exclude plugin until a patch is applied to prevent unauthenticated configuration changes.", "Configure the site\u2019s firewall or server settings to restrict REST API access to authenticated users only, adding an additional layer of protection against this flaw."], "summary": {"action": "Patch Plugin", "impact": "Unauthenticated Modification of Plugin Settings"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the quadlayers Search Exclude plugin for WordPress versions 2.4.9 and earlier.", "description_and_impact": "The Search Exclude plugin for WordPress contains a missing capability check in its REST API endpoint get_rest_permission. This flaw allows any unauthenticated user to send a request that changes the plugin\u2019s configuration, thereby excluding content from search results. The primary impact is an unauthenticated authorization bypass that can alter site behaviour and potentially hide important posts or pages, affecting the integrity and availability of content discoverability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests exploitation likelihood is low, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit the flaw by making unauthenticated HTTP requests to the plugin\u2019s REST endpoint, bypassing any capability checks. Minimal conditions are required: the target must be a WordPress site running an affected version of the Search Exclude plugin."}}}}, "created": "2026-04-22T17:30:22.634960+00:00", "updated": "2026-04-22T17:30:22.634969+00:00", "vendors": []}