Search Filter Pro < 2.5.18 - Admin+ Stored XSS

Vulnerability

The Search & Filter Pro WordPress plugin before version 2.5.18 fails to sanitize and escape some of its settings. This flaw allows high-privilege users, specifically administrators, to inject malicious scripts that are stored and executed in the context of other users' sessions. The vulnerability is particularly impactful in multisite configurations where the unfilted_html capability is typically restricted. [1]

Exploitation

An attacker needs administrator-level access to the WordPress site. The attacker can inject a malicious JavaScript payload into an unsanitized plugin setting. When other users, including lower-privilege users, access pages that render the affected settings, the stored XSS payload executes. No additional user interaction beyond viewing the page is required. [1]

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS). The attacker can execute arbitrary JavaScript in the browsers of other users, leading to potential session hijacking, defacement, or theft of sensitive information. The attack achieves a full scope compromise within the WordPress site, affecting users who view the vulnerable administrative pages. [1]

Mitigation

The vulnerability is fixed in version 2.5.18 of the Search & Filter Pro plugin, released on 2024-07-18. Users should update to this version immediately. No workarounds are documented. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date. [1]