Skip to main content

Ivory Search EUVDEUVD-2026-39931

| CVE-2026-11356 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-27 Wordfence GHSA-jwpp-v8v4-wh67
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

AC:L because injecting text into a settings field requires no technical complexity once admin access is obtained; UI:R because stored XSS impact materializes only when a victim browses to the affected page.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 02:14 vuln.today
CVE Published
Jun 27, 2026 - 01:27 cve.org
MEDIUM 4.4

DescriptionCVE.org

The Ivory Search - WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the menu_title and menu_magnifier_color settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress admin credentials via phishing or stuffing
Delivery
Authenticate to WordPress admin dashboard
Exploit
Navigate to Ivory Search plugin settings
Install
Inject JavaScript payload into menu_title or menu_magnifier_color field
C2
Malicious value persists in plugin configuration database
Execute
Victim browses page rendering the search widget
Impact
Injected script executes in victim browser and exfiltrates session tokens

Vulnerability AssessmentAI

Exploitation Exploitation requires an active WordPress session authenticated at the administrator role or above - this is the primary and most significant limiting factor, as lower WordPress roles (editor, author, contributor, subscriber) cannot access the Ivory Search plugin settings. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N scores at 4.4, and the PR:H and AC:H metrics are the critical signal: exploitation requires an authenticated WordPress administrator session, which is a substantial barrier limiting realistic attacker pools to insiders, compromised credentials, or attackers who have already achieved admin-level access via a separate vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor who has acquired WordPress administrator credentials through phishing or credential stuffing logs into the WP admin dashboard, navigates to the Ivory Search settings page, and injects a JavaScript payload (such as a document.cookie exfiltrator posting to an attacker-controlled endpoint) into the `menu_title` field. The payload is saved without sanitization and subsequently rendered unsanitized into every public-facing page that includes the search widget, silently executing in the browsers of all site visitors and exfiltrating their session cookies or authentication tokens. …
Remediation An upstream fix is confirmed by WordPress plugin repository changeset 3583051 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3583051%40add-search-to-menu&new=3583051%40add-search-to-menu); site operators should update the Ivory Search plugin to the first version released after 5.5.15 that incorporates this changeset, verifiable via the WordPress admin Updates panel or the plugin page at wordpress.org/plugins/add-search-to-menu - note that the exact released patched version number is not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy