On March 28, 2021, Astra Security Threat Intelligence Team responsibly disclosed a vulnerability in Ivory Search, a WordPress Search Plugin installed on over 60,000 sites. This security vulnerability could be exploited by an attacker to perform malicious actions on a victim’s website.
Ivory Search – WordPress Search Plugin allows its users to create new custom search forms for their WordPress site/s.
Our Threat Intelligence Team led by Jinson Varghese initially reached out to the Ivory Search plugin developers with the full disclosure details on March 28, 2021. The developers responded on March 29, 2021, confirming the vulnerability and its impact. Then a day later, the patch was released – on March 30, 2021.
This is a medium severity reflected XSS vulnerability affecting Ivory search plugin version 4.6.0 and below. Therefore, we highly recommend updating this plugin to its latest version containing the patch, 4.6.1, immediately.
If you are using Astra Security Suite – WordPress Firewall & Malware Scanner then your site is already secured against this vulnerability.
“A particular component on the Ivory Search plugin settings page was not validated properly which enabled the execution of malicious JavaScript code. An attacker can exploit such vulnerabilities to perform malicious actions”, Jinson said.
If you are one of the Ivory Search plugin users, it is highly recommended that you should update the plugin to its fully patched version 4.6.1.
Astra Security Suite – WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite protecting your website, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats again. Right from 24*7 monitoring with Astra Security’s firewall to an on-demand malware scanner, Astra takes care of it all. Take an Astra demo today.
If you’re a WP plugin or theme developer then you can follow this DIY security audit guide to make sure that your plugin has no security loopholes.
Original post at
https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-in-ivory-search-wp-plugin/
About the author: Kanishk Tagade
Kanishk Tagade is a Marketing Manager at Astra Security. Having a hawk-eyed view on the cybersecurity threat landscape, market-shifts, and hacktivism activities, Kanishk is a community member of the Nasscom and corporate contributor at many technology magazines and security awareness platforms.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, WordPress)
[adrotate banner=”5″]
[adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.