Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
AC:L because injecting text into a settings field requires no technical complexity once admin access is obtained; UI:R because stored XSS impact materializes only when a victim browses to the affected page.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Ivory Search - WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the menu_title and menu_magnifier_color settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active WordPress session authenticated at the administrator role or above - this is the primary and most significant limiting factor, as lower WordPress roles (editor, author, contributor, subscriber) cannot access the Ivory Search plugin settings. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N scores at 4.4, and the PR:H and AC:H metrics are the critical signal: exploitation requires an authenticated WordPress administrator session, which is a substantial barrier limiting realistic attacker pools to insiders, compromised credentials, or attackers who have already achieved admin-level access via a separate vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor who has acquired WordPress administrator credentials through phishing or credential stuffing logs into the WP admin dashboard, navigates to the Ivory Search settings page, and injects a JavaScript payload (such as a document.cookie exfiltrator posting to an attacker-controlled endpoint) into the `menu_title` field. The payload is saved without sanitization and subsequently rendered unsanitized into every public-facing page that includes the search widget, silently executing in the browsers of all site visitors and exfiltrating their session cookies or authentication tokens. … |
| Remediation | An upstream fix is confirmed by WordPress plugin repository changeset 3583051 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3583051%40add-search-to-menu&new=3583051%40add-search-to-menu); site operators should update the Ivory Search plugin to the first version released after 5.5.15 that incorporates this changeset, verifiable via the WordPress admin Updates panel or the plugin page at wordpress.org/plugins/add-search-to-menu - note that the exact released patched version number is not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39931
GHSA-jwpp-v8v4-wh67