Skip to main content

Ivory Search Wordpress Search Plugin

1 CVEs product

Monthly

CVE-2026-11356 MEDIUM This Month

Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.

WordPress XSS Ivory Search Wordpress Search Plugin
NVD VulDB
CVSS 3.1
4.4
EPSS
0.3%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.

WordPress XSS Ivory Search Wordpress Search Plugin
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy