CVE-2025-2821 is a vulnerability identified in the Search Exclude plugin for WordPress, developed by quadlayers. This plugin allows site administrators to exclude specific content from WordPress search results. The vulnerability arises from a missing capability check in the get_rest_permission function, which is responsible for authorizing REST API requests related to the plugin's settings. Because this authorization check is absent, unauthenticated attackers can send crafted REST API requests to modify the plugin's configuration. This unauthorized modification enables attackers to exclude or include arbitrary content in search results, potentially manipulating what users see when performing searches on the affected WordPress site. The vulnerability affects all versions of the plugin up to and including 2.4.9. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. The attack vector is network-based with no privileges or user interaction required, and the impact is limited to integrity, as confidentiality and availability remain unaffected. No patches or official fixes were linked at the time of publication, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-862 (Missing Authorization).

The primary impact of this vulnerability is the unauthorized modification of the Search Exclude plugin's settings, which affects the integrity of search results on WordPress sites. Attackers can manipulate which content is excluded from search results, potentially hiding critical information or promoting misleading content. This can degrade user trust, affect site usability, and be leveraged in disinformation or censorship campaigns. Although the vulnerability does not expose sensitive data or disrupt site availability, the ability to alter search behavior without authorization can have reputational and operational consequences for organizations relying on accurate search functionality. Since exploitation requires no authentication and can be performed remotely, the risk of automated or mass exploitation exists. Organizations with public-facing WordPress sites using this plugin are at risk globally, especially those in sectors where content integrity is critical, such as news media, e-commerce, and government portals.

To mitigate this vulnerability, organizations should immediately update the Search Exclude plugin to a version that includes the missing authorization check once it is released by quadlayers. Until an official patch is available, administrators can implement the following measures: 1) Restrict REST API access to trusted users or IP addresses using web application firewalls or server-level access controls. 2) Disable or limit the Search Exclude plugin if it is not essential to site operations. 3) Monitor REST API logs for suspicious requests targeting the plugin endpoints. 4) Employ security plugins that can enforce capability checks or block unauthorized REST API calls. 5) Regularly audit plugin configurations and search results for unexpected changes. These steps help reduce the attack surface and detect potential exploitation attempts before a patch is applied.