Ivory Search, a WordPress search plugin, had a serious XSS vulnerability. An adversary may use the bug to execute malicious code on the target website. Given the number of active plugin installations, this now-patched vulnerability put over 60,000 websites at risk.
The Ivory Search WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability, according to researchers from Astra Security Threat Intelligence Team. Web applications are affected by reflected XSS vulnerabilities, which allow an adversary to execute malicious code on the client-side. For example, When a user visits an infected web page, malicious code can be executed.
It’s a medium-severity bug, according to the researchers, that allows an adversary to “perform malicious acts” on a target website.
The vulnerability was discovered by the Astra Security team on March 28, 2021, and it affects Ivory Search plugin versions 4.6.0 and lower. As a result, the team contacted the plugin developers the same day to report the issue. As a result, the plugin’s team worked quickly to fix the flaw, and on March 30, 2021, they released version 4.6.1 of the patch. In the changelog on the plugin website, they’ve also acknowledged the bug patch.
It is recommended for the site owners to update the latest version of the Plugin, as soon as possible.
The latest version of the Ivory Search plugin is 4.6.2. To remain secure, all users of this plugin must ensure that their websites are updated to version 4.6.1 or higher.