{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7956", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-21T12:42:31.893Z", "datePublished": "2025-08-28T05:24:52.304Z", "dateUpdated": "2026-04-08T17:27:23.099Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:23.099Z"}, "affected": [{"vendor": "wpdreams", "product": "Ajax Search Lite \u2013 Live Search & Filter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.13.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ajax Search Lite plugin for WordPress is vulnerable to Basic Information Exposure due to missing authorization in its AJAX search handler in all versions up to, and including, 4.13.1. This makes it possible for unauthenticated attackers to issue repeated AJAX requests to leak the content of any protected post in rolling 100\u2011character windows."}], "title": "Ajax Search Lite <= 4.13.1 - Missing Authorization to Unauthenticated Basic Information Exposure via ASL_Query in AJAX Search Handler", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/daa9c3dd-e8cf-4696-bc0c-4088509f89db?source=cve"}, {"url": "https://wordpress.org/plugins/ajax-search-lite/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/ajax-search-lite/tags/4.13.1/includes/classes/ajax/class-asl-search.php#L37"}, {"url": "https://plugins.trac.wordpress.org/changeset/3349881/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-08-21T17:22:49.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-27T16:25:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-28T13:35:46.240917Z", "id": "CVE-2025-7956", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T14:48:35.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-28T13:35:46.240917Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T13:35:49.996Z"}}], "cna": {"title": "Ajax Search Lite <= 4.13.1 - Missing Authorization to Unauthenticated Basic Information Exposure via ASL_Query in AJAX Search Handler", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpdreams", "product": "Ajax Search Lite \u2013 Live Search & Filter", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.13.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-21T17:22:49.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-27T16:25:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/daa9c3dd-e8cf-4696-bc0c-4088509f89db?source=cve"}, {"url": "https://wordpress.org/plugins/ajax-search-lite/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/ajax-search-lite/tags/4.13.1/includes/classes/ajax/class-asl-search.php#L37"}, {"url": "https://plugins.trac.wordpress.org/changeset/3349881/"}], "descriptions": [{"lang": "en", "value": "The Ajax Search Lite plugin for WordPress is vulnerable to Basic Information Exposure due to missing authorization in its AJAX search handler in all versions up to, and including, 4.13.1. This makes it possible for unauthenticated attackers to issue repeated AJAX requests to leak the content of any protected post in rolling 100\u2011character windows."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-28T05:24:52.304Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7956", "state": "PUBLISHED", "dateUpdated": "2025-08-28T14:48:35.475Z", "dateReserved": "2025-07-21T12:42:31.893Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-28T05:24:52.304Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ajax Search Lite plugin for WordPress is vulnerable to Basic Information Exposure due to missing authorization in its AJAX search handler in all versions up to, and including, 4.13.1. This makes it possible for unauthenticated attackers to issue repeated AJAX requests to leak the content of any protected post in rolling 100\u2011character windows."}, {"lang": "es", "value": "El complemento Ajax Search Lite para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n B\u00e1sica debido a la falta de autorizaci\u00f3n en su controlador de b\u00fasqueda AJAX en todas las versiones hasta la 4.13.1 incluida. Esto permite a atacantes no autenticados emitir repetidas solicitudes AJAX para filtrar el contenido de cualquier publicaci\u00f3n protegida en ventanas de 100 caracteres."}], "id": "CVE-2025-7956", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-28T06:15:31.493", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ajax-search-lite/tags/4.13.1/includes/classes/ajax/class-asl-search.php#L37"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3349881/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ajax-search-lite/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/daa9c3dd-e8cf-4696-bc0c-4088509f89db?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:46:48.380720+00:00", "value": {"mitigation_remediation": ["Upgrade Ajax Search Lite to the latest released version (any build newer than 4.13.1).", "If a patch cannot be applied immediately, disable or uninstall the Ajax Search Lite plugin to eliminate the vulnerable endpoint.", "Apply a temporary server\u2011side restriction (e.g., in .htaccess or a firewall rule) that blocks unauthenticated access to the /asl_search.php AJAX handler or requires a valid WordPress session prior to execution.", "Review and harden any remaining custom search functionality to enforce proper authorization checks before returning post content."], "summary": {"action": "Patch Now", "impact": "Basic Information Exposure"}, "threat_synthesis": {"affected_systems": "The issue affects all versions of the Ajax Search Lite plugin released by wpdreams up to and including 4.13.1. WordPress sites that have installed this plugin and rely on it for live search and filtering are at risk. No specific operating system or WordPress core version is required beyond the presence of the plugin.", "description_and_impact": "The Ajax Search Lite plugin for WordPress is vulnerable to a missing authorization check in its AJAX search handler. This flaw allows any unauthenticated user to send repeated requests that return 100\u2011character windows of the content of protected posts. The exposure is limited to informational leakage and does not provide direct code execution or privilege escalation. This weakness is defined as Missing Authorization (CWE\u2011862).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is less than 1\u202f%, suggesting that, while the flaw exists, the probability of exploitation in the wild is low. The flaw is not listed in the CISA KEV catalog. Attackers need only send unauthenticated AJAX requests to the ASL_Query endpoint; no authentication, user\u2011token, or special privileges are required prior to exploitation. The impact is confined to information confidentiality, exposing sensitive or protected post content."}}}}, "created": "2025-08-28T21:21:52.071102+00:00", "updated": "2026-04-20T20:00:10.504568+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}