CVE-2025-62064

Elated-Themes · Search & Go

The Elated-Themes Search & Go plugin for WordPress contains an authentication bypass vulnerability in its password recovery mechanism, allowing unauthorized account access.

Executive summary

An authentication bypass vulnerability in the Search & Go plugin allows attackers to compromise user accounts via the password recovery workflow.

Vulnerability

The plugin suffers from an authentication bypass via an alternate path or channel during the password recovery process. This flaw allows an attacker to manipulate the recovery workflow to gain unauthorized access to user accounts.

Business impact

A CVSS score of 9.8 reflects the critical nature of this authentication bypass. Unauthorized access to administrative or user accounts can lead to mass data exfiltration, unauthorized administrative changes, and complete compromise of the WordPress site's integrity and user trust.

Remediation

Immediate Action: Update the Search & Go plugin to the latest version as provided by Elated-Themes.

Proactive Monitoring: Monitor user account activity logs for anomalous password resets or unusual login patterns from unrecognized locations.

Compensating Controls: Temporarily disable the password recovery functionality if possible or restrict access to the login/recovery pages via IP filtering.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability presents a high risk of account takeover. Administrators must verify their plugin version and apply updates immediately. If patches are not available, evaluate the necessity of the plugin and consider disabling it until a secure version is verified.