CVE-2022-2535
MEDIUM NUCLEISearchWP Live Ajax Search <1.6.2 - Info Disclosure
Title source: llmExploitation Summary
CVE-2022-2535 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink
Nuclei Templates (1)
SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
MEDIUMVERIFIEDby r3Y3r53,daffainfo
Shodan:
http.html:/wp-content/plugins/searchwp-live-ajax-search/
FOFA:
body=/wp-content/plugins/searchwp-live-ajax-search/
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02
Scores
CVSS v3
5.3
EPSS
0.0146
EPSS Percentile
70.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-639
Status
published
Products (1)
searchwp/searchwp_live_ajax_search
< 1.6.2
Published
Aug 15, 2022
Tracked Since
Feb 18, 2026