Reflected XSS Vulnerability found in Ivory Search Plugin

Reflected XSS Vulnerability found in Ivory Search Plugin

Ivory Search

WordPress Search plugin, Ivory Search version 4.6 and below were found to be vulnerable to reflected XSS while I was testing the plugin. Version 4.6.1 with a fix was released on March 30, 2021.



Ivory Search is an advanced WordPress search plugin with over 60,000 active installations, that helps in enhancing the search experience on WordPress websites and also helps in creating custom search forms.

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.



  • Vulnerability reported to the Ivory Search team – March 28, 2021
  • Ivory Search version 4.6.1 containing the fix to the vulnerability released – March 30, 2021


It is highly recommended to update the plugin to the latest version.


Written by
Jinson Varghese
Join the discussion