FiboSearch < 1.18.0 – Admin+ Stored Cross-Site Scripting | CVE 2022-1469 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in the Woocommerce > FiboSearch > Autocomplete > Products -> "No results label" or "More results label" fields and save: <svg/onload=confirm(/XSS/)>

Affects Plugins

ajax-search-for-woocommerce

Fixed in 1.18.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dipak Panchal

Submitter

th3.d1p4k

Submitter twitter

Verified

Yes

WPVDB ID

88869380-173d-4d4f-81d8-3c20add5f98d

Timeline

Publicly Published

2022-05-16 (about 3 years ago)

Added

2022-05-16 (about 3 years ago)

Last Updated

2022-05-18 (about 3 years ago)

Other

Published

Title

Published

2025-02-03

Title

Appointment Buddy Widget <= 1.2 - Reflected Cross-Site Scripting

Published

2024-02-02

Title

BEAR < 1.1.4.1 - Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options

Published

2024-05-22

Title

Sassy social share < 3.3.63 Admin+ Stored Cross-Site scripting

Published

2025-04-11

Title

SureForms < 1.4.4 - Admin+ Stored XSS

Published

2022-12-02

Title

Chained Quiz < 1.3.2.3 - Reflected Cross-Site Scripting