WordPress Search plugin, Ivory Search version 4.6 and below were found to be vulnerable to reflected XSS while I was testing the plugin. Version 4.6.1 with a fix was released on March 30, 2021.
Summary
Ivory Search is an advanced WordPress search plugin with over 60,000 active installations, that helps in enhancing the search experience on WordPress websites and also helps in creating custom search forms.
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
—PortSwigger
Timeline
- Vulnerability reported to the Ivory Search team – March 28, 2021
- Ivory Search version 4.6.1 containing the fix to the vulnerability released – March 30, 2021
Recommendation
It is highly recommended to update the plugin to the latest version.
Reference
- https://wordpress.org/plugins/add-search-to-menu/#developers
- https://wpscan.com/vulnerability/ecc620be-8e29-4860-9d32-86b5814a3835
- https://nvd.nist.gov/vuln/detail/CVE-2021-24234