WordPress WP Search Analytics Plugin <= 1.4.5 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The WP Search Analytics plugin versions 1.4.5 and earlier (plugin slug: search-analytics) contain a stored cross-site scripting (XSS) vulnerability [1]. The flaw affects authenticated users with admin-level privileges, who can inject arbitrary JavaScript through the plugin's settings or data input fields. The vulnerability exists because user-supplied input is not properly sanitized before being stored and later rendered in the admin interface. The plugin requires WordPress >= 4.4.0 and PHP >= 5.6 [1].

Exploitation

An attacker must have admin-level access to the WordPress site (role 'admin+') to exploit this vulnerability. The attacker can inject malicious script code into a field (e.g., the plugin's statistics page or settings) that is later displayed to other admin users. The stored XSS payload executes in the context of the victim's browser when they view the affected page. No user interaction beyond viewing the page is required for the payload to fire.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any admin user who visits the compromised page. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as cookies or authentication tokens. The scope of the attack is within the WordPress admin dashboard, affecting other administrative users.

Mitigation

The vulnerability is fixed in version 1.5.0 of the plugin, released on May 7, 2026 [1]. Users should update to at least version 1.5.0 immediately. If updating is not possible, administrators should restrict access to the plugin's settings and ensure that only trusted users have admin-level accounts on the WordPress installation. No workaround is documented in the available references.