SearchWiz WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the SearchWiz plugin for WordPress, affecting all versions through 1.0.0. The issue arises because the plugin improperly sanitizes post titles in search results, using 'esc_attr()' instead of 'esc_html()'. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary scripts into post titles, which are executed when users search and view the results.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the search results.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access or higher can inject a script into a post title. Once the title is saved, the user can perform a search that triggers the 'ajax_load_posts_json' function. This function retrieves and displays the search results, including the titles of the posts. Because the plugin uses 'esc_attr()' to output the titles, the injected script will be executed when the search results are viewed.

Remediation

No known patch is available. Users are advised to uninstall the affected plugin and find a replacement.