CVE-2025-62064

Critical

Published: 06 November 2025

Published

06 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62064 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly preventing authentication bypass via alternate paths or channels in the Search & Go theme's password recovery.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly identifies and permits only approved actions without identification or authentication, mitigating exploitation of unintended unauthenticated paths like flawed password recovery.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws such as this critical authentication bypass in Search & Go versions through 2.7.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress theme, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Elated-Themes Search & Go search-and-go allows Password Recovery Exploitation.This issue affects Search & Go: from n/a through <= 2.7.

Deeper analysisAI

CVE-2025-62064 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Search & Go WordPress theme developed by Elated-Themes. The flaw, published on 2025-11-06, affects the search-and-go theme from its initial release (n/a) through version 2.7 inclusive and enables password recovery exploitation.

With a CVSS v3.1 base score of 9.8 (Critical), the vulnerability allows exploitation over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can exploit it to bypass authentication via an alternate path or channel, leveraging password recovery to gain unauthorized access.

The Patchstack advisory provides details on the vulnerability and mitigation at https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-7-broken-authentication-vulnerability?_s_id=cve.

Details

CWE(s): CWE-288

CVEs Like This One

CVE-2026-25471Shared CWE-288

CVE-2026-40630Shared CWE-288

CVE-2025-67039Shared CWE-288

CVE-2025-13539Shared CWE-288

CVE-2026-31151Shared CWE-288

CVE-2025-64236Shared CWE-288

CVE-2025-27129Shared CWE-288

CVE-2025-5955Shared CWE-288

CVE-2025-63217Shared CWE-288

CVE-2025-67070Shared CWE-288

References

https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-7-broken-authentication-vulnerability?_s_id=cve
audit@patchstack.com