What the vulnerability does
01Description
The Ajax Search Lite plugin for WordPress is vulnerable to Basic Information Exposure due to missing authorization in its AJAX search handler in all versions up to, and including, 4.13.1. This makes it possible for unauthenticated attackers to issue repeated AJAX requests to leak the content of any protected post in rolling 100‑character windows.
Explanation of Vulnerability in Simple Terms
02Summary
Ajax Search Lite allows unauthenticated attackers to read sensitive information through a missing authorization check. The plugin does not properly restrict access to certain search functionality, exposing data that should be protected. No user interaction is required; an attacker can exploit this remotely by sending direct requests to the vulnerable endpoint.
What an attacker can do
03Attacker Capabilities
Read sensitive search data or information that should be restricted to authenticated users.
Potential impact on your site
04Site Impact
Sensitive information indexed by the search plugin may be exposed to unauthenticated visitors.
Conditions required to exploit
05Prerequisites
Network access to the WordPress site; no authentication or user interaction required.
Key dates
06Disclosure timeline
August 28, 2025
CVE published
April 8, 2026
Record updated