cleantalk
Vulnerabilities and Security Researches

SearchPlus, CVE-2026-8617

CVE, Research URL

CVE-2026-8617

Home page URL

Security reports for SearchPlus

Application

SearchPlus

Published on
Jun 24, 2026
Research Description
The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin's stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name).
Affected versions
max 1.7.1.
Status
vulnerable
Previous vulnerability researches
Blue Captcha (CVE-2026-10552) , Jun 25, 2026
Blue Captcha (CVE-2025-28880) , Mar 26, 2025
New vulnerability
Admin and Site Enhancements (ASE) , Jun 25, 2026
Advanced Google reCAPTCHA , Jun 25, 2026
Page Optimize , Jun 25, 2026
Image Optimizer by Elementor – Compress, Resize and Optimize Images , Jun 25, 2026
Facebook Chat Plugin – Live Chat Plugin for WordPress , Jun 25, 2026