WordPress Plugin Vulnerabilities

Ivory Search < 5.5.10 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

Affects Plugins

Plugin icon
add-search-to-menu
Fixed in 5.5.10

References

CVE
CVE-2025-5209

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Verified
Yes
WPVDB ID
8b51dc46-62c8-45b5-96ce-fb774b430388

Timeline

Publicly Published
2025-05-27 (about 7 months ago)
Added
2025-05-27 (about 7 months ago)
Last Updated
2025-05-27 (about 7 months ago)

Other

Published
Title
Published
2025-01-07
Title
mcjh button shortcode <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-08
Title
Bamboo Enquiries <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-17
Title
TemplatesNext ToolKit < 3.2.8 - Contributor+ Stored XSS
Published
2024-04-09
Title
Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Separator Element
Published
2025-04-17
Title
Piotnet Addons For Elementor <= 2.4.36 - Authenticated (Contributor+) Stored Cross-Site Scripting