CVE-2026-27357

Vulnerability

A missing authorization vulnerability exists in the WP Search Analytics plugin for WordPress, versions prior to 1.5.0. The plugin fails to properly enforce access control checks, allowing unauthenticated or low-privileged users to exploit incorrectly configured security levels. The issue affects all versions from n/a before 1.5.0 [1].

Exploitation

An attacker needs no special privileges or authentication to exploit this vulnerability. By sending crafted requests to the affected endpoints, they can trigger functions that should require higher privileges. The broken access control means no nonce or capability checks are performed on certain actions, enabling exploitation remotely over HTTP [1].

Impact

Successful exploitation leads to unauthorized access to search analytics data, which may include sensitive information about site searches and visitor behavior. The attacker can modify or view data without proper authorization, resulting in a low-severity information disclosure and potential data integrity compromise. No code execution or privilege escalation beyond the analytics functionality is reported [1].

Mitigation

Users should update to version 1.5.0 or later immediately. The update addresses the missing authorization checks. Those who cannot update immediately can enable auto-updates via Patchstack or manually apply the fix. No workarounds are documented. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog [1].