CVE-2025-1528

Vulnerability

Overview

The Search & Filter Pro plugin for WordPress, in all versions up to and including 2.5.19, contains an unsecured endpoint that lacks a proper capability check in the get_meta_values function. This allows authenticated users with Subscriber-level privileges or above to access arbitrary post meta data and taxonomy data stored on the site [1]. The issue was identified by Tom Broucke and disclosed through the Wordfence process [1].

Exploitation

Prerequisites

Exploitation requires an authenticated account with at least Subscriber role on the target WordPress site. An attacker can directly invoke the vulnerable function without needing any additional permissions, bypassing the intended access controls [1]. The function does not verify whether the requesting user has the right to view the specific post meta fields, leading to unauthorized data exposure.

Impact

Successful exploitation allows an attacker to read the values of arbitrary post meta, which may contain sensitive information such as internal notes, user data, or configuration settings stored as custom fields. This exposure could aid in further attacks or violate data confidentiality [1].

Mitigation

Users running version 2 of the plugin are strongly advised to update to version 2.5.20, which patches the missing capability check [1]. Version 3 of the plugin is unaffected by this vulnerability. No automatic mitigation exists for older versions other than updating or restricting subscriber-level access until the patch is applied.