CVE-2026-0694
Stored XSS in SearchWiz WordPress Plugin Post Titles
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | searchwiz | to 1.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the SearchWiz WordPress plugin up to version 1.0.0. It occurs because the plugin uses the function esc_attr() instead of esc_html() when outputting post titles in search results. This improper escaping allows authenticated users with contributor-level access or higher to inject malicious scripts into post titles. These scripts then execute whenever any user performs a search and views the search results page, potentially compromising user security.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with contributor-level access or higher can inject arbitrary JavaScript code into post titles. When other users perform searches and view the search results, the injected scripts execute in their browsers. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions depending on the attacker's script. Since the vulnerability is stored, the malicious code persists and affects all users viewing the search results.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for post titles containing suspicious or malicious script tags in the SearchWiz plugin's search results. Since the vulnerability involves stored cross-site scripting via post titles, you can inspect the search results page for unexpected HTML or JavaScript execution. Additionally, you can check if the SearchWiz plugin version is 1.0.0 or earlier, as all versions up to 1.0.0 are vulnerable. There are no specific network commands provided in the resources, but you can perform a search query via the AJAX endpoint used by the plugin and observe if script tags in post titles are executed. For example, you might use curl or a browser to perform a search request to the AJAX endpoint and inspect the JSON response or rendered HTML for unescaped script tags. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the SearchWiz plugin to a version later than 1.0.0 if available, as the vulnerability affects all versions up to and including 1.0.0. If an update is not available, restrict contributor-level access and above to trusted users only, since authenticated users with contributor-level access can exploit this vulnerability. Additionally, consider disabling or restricting the SearchWiz plugin's search functionality temporarily to prevent exploitation. Applying input sanitization or output escaping patches to replace `esc_attr()` with `esc_html()` when outputting post titles in search results can also mitigate the issue. Monitoring and logging AJAX requests to the plugin's search endpoint may help detect exploitation attempts. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.