CVE-2026-24938
Unknown Unknown - Not Provided
Stored XSS in Better Search ≀ 4.2.1 Enables Persistent Attacks

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24938
EUVD
EUVD-2026-5309
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
better_search better_search to 4.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24938 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Better Search Plugin versions up to and including 4.2.1.

This vulnerability allows a malicious actor to inject and execute malicious scripts such as redirects, advertisements, or other HTML payloads on a website when visitors access it.

Exploitation requires user interaction by a privileged user (author or developer role) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.

The issue is fixed in version 4.2.2 of the plugin.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts on your website, which may lead to unwanted redirects, display of unauthorized advertisements, or injection of harmful HTML content.

Such actions can compromise the integrity and trustworthiness of your website, potentially affecting user experience and security.

However, exploitation requires interaction by a privileged user, which limits the risk somewhat.

Updating the plugin to version 4.2.2 or later mitigates this vulnerability.

Detection Guidance

Detection of CVE-2026-24938 involves identifying attempts to exploit the Stored Cross Site Scripting (XSS) vulnerability in the Better Search WordPress plugin versions up to 4.2.1.

Since exploitation requires a privileged user interacting with malicious input (such as clicking a crafted link or submitting a form), monitoring web server logs for suspicious input patterns or unusual POST requests targeting the Better Search plugin endpoints can help detect attempts.

There are no specific commands provided in the resources to detect this vulnerability directly.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to update the Better Search WordPress plugin to version 4.2.2 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': "Additionally, users can consider using mitigation services such as Patchstack's auto-update feature for vulnerable plugins to ensure timely patching."}] [1]

Compliance Impact

CVE-2026-24938 is a Cross Site Scripting (XSS) vulnerability that allows malicious scripts to be injected and executed on affected websites. Such vulnerabilities can potentially lead to unauthorized access to user data or manipulation of website content, which may impact the confidentiality and integrity of data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks that could lead to non-compliance with these regulations due to potential data breaches or unauthorized data exposure.

To mitigate these risks and maintain compliance, it is recommended to update the Better Search plugin to version 4.2.2 or later, where the vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart