CVE-2026-1053
Description
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WordPress Ivory Search plugin allows admin-level attackers to inject arbitrary scripts on multi-site or unfiltered_html-disabled installations.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Ivory Search – WordPress Search Plugin (versions up to and including 5.5.13). The flaw stems from insufficient input sanitization and output escaping in admin settings, as evidenced in the plugin's code [1].
Exploitation
Exploitation requires authentication with administrator-level permissions. The attack surface is limited to multi-site WordPress installations or sites where the unfiltered_html capability has been disabled. An attacker can inject arbitrary web scripts through admin settings, which are stored and later executed when any user visits an affected page.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data exfiltration, defacement, or other malicious actions, depending on the attacker's objectives.
Mitigation
As of the publication date, no patched version has been released. Users should monitor the plugin's repository for updates. In the interim, restrict administrator access to trusted users, and consider enabling unfiltered_html on non-multi-site installations where feasible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=5.5.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.svn.wordpress.org/add-search-to-menu/tags/5.5.13/public/class-is-public.phpnvd
- plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.phpnvd
- plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.phpnvd
- plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/partials/is-ajax-results.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/cdc5ef6a-32d8-4c4b-b459-d9b543b56898nvd
News mentions
0No linked articles in our index yet.