The Search Forms page of the plugin did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack.
https://example.com/wp-admin/admin.php?page=ivory-search&post=<form-id>&action=edit&tab=excludes%22%3E%3Cimg+src+onerror%3Dalert%28%2FXSS%2F%29%3E
Jinson Varghese Behanan
Jinson Varghese Behanan
Yes
2021-03-30 (about 2 years ago)
2021-03-30 (about 2 years ago)
2021-03-31 (about 2 years ago)