CVE-2026-27357 Cornel Raiu CVE debrief

Who should care

WordPress site administrators using the WP Search Analytics plugin, security teams managing WordPress deployments, and developers maintaining Cornel Raiu's WP Search Analytics plugin.

Technical summary

The WP Search Analytics plugin for WordPress contains a Missing Authorization vulnerability (CWE-862) that permits attackers to exploit incorrectly configured access control security levels. The vulnerability exists in versions prior to 1.5.0 and has been assigned a CVSS 3.1 base score of 5.3 (MEDIUM severity). The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. The vulnerability impacts integrity only (no confidentiality or availability impact). The issue was disclosed on 2026-05-25 and the CVE record was last modified on 2026-05-26. The NVD entry status is currently 'Deferred'.

Defensive priority

medium

Recommended defensive actions

• Upgrade WP Search Analytics to version 1.5.0 or later to remediate the Missing Authorization vulnerability.
• Review WordPress user role capabilities and restrict access to plugin administrative functions to authorized users only.
• Monitor WordPress audit logs for unauthorized access attempts to plugin endpoints or administrative pages.
• Verify plugin update availability through the WordPress admin dashboard or trusted repository before applying changes.

Evidence notes

The vulnerability description and affected version range are sourced from the official CVE record and NVD entry. The CWE-862 classification and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) are provided by Patchstack via the NVD reference. The vendor attribution to 'Cornel Raiu' and product name 'WP Search Analytics' are derived from the CVE description field.

Official resources