CVE-2026-24938

Vulnerability

Overview

The Better Search plugin for WordPress, versions 4.2.1 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users visit affected pages.

Exploitation

Requirements

Exploitation requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link or submitting a crafted form [1]. The attacker must have the ability to submit input that is later rendered without proper sanitization. This is a stored XSS, meaning the payload persists and can affect multiple visitors over time.

Impact

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the website [1]. These scripts execute in the context of visitors' browsers, potentially leading to data theft, session hijacking, or defacement. The vulnerability has a CVSS v3 score of 5.9 (Medium) [1].

Mitigation

The vendor has released version 4.2.2 which resolves the issue [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If immediate updating is not possible, consulting a hosting provider or web developer is recommended [1].