What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery.This issue affects SearchAzon: from n/a through <= 1.4.
CVE-2026-22360
MEDIUM
CVE-2026-22360: WordPress SearchAzon plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
SearchAzon versions 1.4 and earlier contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious webpage that, when visited by a logged-in user, performs unwanted actions on their behalf within SearchAzon. The vulnerability requires user interaction—the victim must visit the attacker's page while authenticated. Impact is limited to data modification; no data disclosure or service disruption occurs.
What an attacker can do
03Attacker Capabilities
Perform unwanted actions (like changing settings or data) on behalf of a logged-in user without their knowledge.
Potential impact on your site
04Site Impact
Users' SearchAzon settings or data could be modified by attackers via malicious links or pages, potentially affecting site configuration or user accounts.
Conditions required to exploit
05Prerequisites
User must be logged into SearchAzon and visit an attacker-controlled webpage while authenticated.
Key dates
06Disclosure timeline
January 22, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-47879 OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
CVE-2024-49779 IBM OpenPages cross-site request forgery
CVE-2024-4204 Bulk Posts Editing For WordPress <= 4.2.3 - Cross-Site Request Forgery
CVE-2025-49269 WordPress Market Exporter plugin <= 2.0.22 - Cross Site Request Forgery (CSRF) Vulnerability
CVE-2018-25133 Synaccess netBooter NP-0801DU 7.4 Cross-Site Request Forgery via Admin Interface
