CVE-2025-11522
Published: 09 October 2025
Description
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-11522 is an authentication bypass vulnerability enabling account takeover in the Search & Go - Directory WordPress Theme for WordPress, affecting all versions up to and including 2.7. The flaw stems from insufficient user validation in the search_and_go_elated_check_facebook_user() function and occurs when Facebook login is enabled. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability was published on 2025-10-09.
Unauthenticated attackers can exploit this issue remotely with low complexity and no user interaction. By leveraging the flawed Facebook login validation, they can impersonate and take over any user account on the site, including those of administrators, thereby gaining unauthorized access to sensitive data and site controls.
Mitigation guidance is available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/da590a65-8728-4577-b6e4-ecebc2a2277d?source=cve and the theme's listing on ThemeForest at https://themeforest.net/item/search-go-modern-smart-directory-theme/15365040.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authentication bypass in public-facing WordPress theme enables unauthenticated account takeover, including admin accounts, directly facilitating T1190 (Exploit Public-Facing Application) and T1078.003 (Valid Accounts: Local Accounts).