Vulnerabilities and security researches foradd-search-to-menu add-search-to-menu

Jun 06, 2024

CVE, Research URL: CVE-2021-36869
Home page URL: Security reports for Ivory Search – WordPress Search Plugin
Application: Ivory Search – WordPress Search Plugin
Date: Oct 22, 2021
Research Description: Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-24234
Home page URL: Security reports for Ivory Search – WordPress Search Plugin
Application: Ivory Search – WordPress Search Plugin
Date: Apr 23, 2021
Research Description: The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-3233
Home page URL: Security reports for Ivory Search – WordPress Search Plugin
Application: Ivory Search – WordPress Search Plugin
Date: May 02, 2024
Research Description: The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_create_index() function in all versions up to, and including, 5.5.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger index creation.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-25105
Home page URL: Security reports for Ivory Search – WordPress Search Plugin
Application: Ivory Search – WordPress Search Plugin
Date: Feb 07, 2022
Research Description: The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Affected versions: Min -, max -.
Status: vulnerable

Sep 06, 2024

CVE, Research URL: CVE-2024-6835
Home page URL: Security reports for Ivory Search – WordPress Search Plugin
Application: Ivory Search – WordPress Search Plugin
Date: Sep 05, 2024
Research Description: The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.5.6 via the ajax_load_posts function. This makes it possible for unauthenticated attackers to extract text data from password-protected posts using the boolean-based attack on the AJAX search form
Affected versions: Min -, max -.
Status: vulnerable

Nov 15, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for Ivory Search – WordPress Search Plugin
Application: Ivory Search – WordPress Search Plugin
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: Min -, max -.
Status: vulnerable

Jun 18, 2025

CVE, Research URL: CVE-2025-5209
Home page URL: Security reports for Ivory Search – WordPress Search Plugin
Application: Ivory Search – WordPress Search Plugin
Date: Jun 17, 2025
Research Description: The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Affected versions: Min -, max -.
Status: vulnerable