WordPress Plugin Vulnerabilities

Search Exclude < 1.2.4 - Arbitrary Settings Change

Description

Unauthenticated plugin settings change via admin_init
Authenticated plugin settings change via AJAX

Affects Plugins

Plugin icon
search-exclude
Fixed in 1.2.4

References

CVE
CVE-2019-15895
URL
https://blog.nintechnet.com/settings-change-vulnerability-in-wordpress-search-exclude-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet.com)
Verified
No
WPVDB ID
c0299ca4-4dc0-4107-bf82-cfa8846a938d

Timeline

Publicly Published
2019-09-07 (about 6 years ago)
Added
2019-09-07 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-06-19
Title
Greeklish-permalink < 3.5 - Unauthenticated Post Slug Update
Published
2020-01-13
Title
Ultimate Member < 2.1.3 - Insecure Direct Object Reference (IDOR)
Published
2025-05-22
Title
Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) Privilege Escalation
Published
2025-11-06
Title
IDonate 2.1.5 - 2.1.9 - Subscriber+ Account Takeover/Privilege Escalation
Published
2024-10-09
Title
UserPlus <= 2.0 - Unauthenticated Privilege Escalation