WordPress Plugin Vulnerabilities

Ivory Search < 4.7 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the post parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue. The data parameter was also affected, although it was not reported.

Proof of Concept

Affects Plugins

Plugin icon
add-search-to-menu
Fixed in 4.7

References

CVE
CVE-2021-36869

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Verified
Yes
WPVDB ID
e3c6b9b7-5b6f-44db-8204-9cfedfced1cd

Timeline

Publicly Published
2021-10-01 (about 4 years ago)
Added
2021-10-21 (about 4 years ago)
Last Updated
2022-04-10 (about 4 years ago)

Other

Published
Title
Published
2026-03-06
Title
CM Custom Reports < 1.2.8 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters
Published
2014-08-01
Title
wppygments <= 0.3.2 - XSS in ZeroClipboard
Published
2024-07-10
Title
WP Announcement < 2.0.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-01-31
Title
Namaste! LMS < 2.5.9.4 - Admin+ Stored XSS
Published
2025-03-11
Title
In Stock Mailer for WooCommerce <= 2.1.1 - Reflected Cross-Site Scripting