WordPress WP Search Analytics Plugin <= 1.4.7 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The WP Search Analytics plugin by Cornel Raiu, versions 1.4.7 and earlier, contains a reflected Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize user input before reflecting it back in the response, allowing an unauthenticated attacker to inject arbitrary JavaScript. The vulnerability is present in the plugin's admin pages or search analytics functionality. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in a parameter that is reflected without sanitization. The victim must be logged into WordPress and click the link. No authentication is required to trigger the reflection, but the victim must have access to the affected admin page. The attacker does not need any special privileges.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies or login credentials. The impact is limited to the victim's session and browser.

Mitigation

The vulnerability is fixed in version 1.5.0 of the plugin, released on 2026-05-07 (according to the plugin page). Users should update to version 1.5.0 or later. No workarounds are provided. The plugin is not listed on CISA's KEV as of this writing. [1]