WordPress Plugin Vulnerabilities

FiboSearch - AJAX Search for WooCommerce < 1.24.0 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize and escape input in admin settings, leading to a Stored Cross-Site Scripting vulnerability in affected pages for multi-site installations and instances where unfiltered_html is disabled.

Affects Plugins

Plugin icon
ajax-search-for-woocommerce
Fixed in 1.24.0

References

CVE
CVE-2023-2450
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ajax-search-for-woocommerce/fibosearch-ajax-search-for-woocommerce-1230-authenticated-admin-stored-cross-site-scripting

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Ivan Kuzymchak
Verified
No
WPVDB ID
5911a466-ce38-4f0d-8fe2-f3f20b0a9584

Timeline

Publicly Published
2023-06-08 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2025-03-27
Title
Tidekey <= 1.1 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
Team Members for Elementor Page Builder <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2020-05-14
Title
WP Product Review < 3.7.6 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2024-09-24
Title
Medical Addon for Elementor <= 1.6.4 - Contributor+ Stored XSS
Published
2024-06-28
Title
Chained Quiz < 1.3.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting