CVE-2025-2821: 
WordPress vulnerability analysis and mitigation

The Search Exclude plugin for WordPress contains a vulnerability (CVE-2025-2821) discovered in all versions up to and including 2.4.9. The vulnerability was disclosed on May 6, 2025, and stems from a missing capability check in the getrestpermission function, which allows unauthorized users to modify plugin settings (NVD).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS v3.1 base score of 5.3 (Medium). The security flaw exists in the getrestpermission function where authorization checks were commented out, allowing unauthenticated attackers to bypass access controls. This vulnerability enables attackers to modify plugin settings without requiring authentication (NVD, WordPress Plugin).

When exploited, the vulnerability allows unauthenticated attackers to modify plugin settings, specifically enabling them to exclude content from search results. This could lead to unauthorized manipulation of website search functionality, potentially hiding legitimate content from users searching the site (NVD).

The vulnerability has been patched in version 2.5.0 of the Search Exclude plugin. The fix implements proper authorization checks in the getrestpermission function to ensure only authenticated users with appropriate permissions can modify plugin settings (WordPress Changeset).