CVE-2020-12054

Name of the Vulnerable Software and Affected Versions Catch Breadcrumb plugin versions prior to 1.5.4

Description The issue allows Reflected XSS via the s parameter, which is a search query. This affects not only the Catch Breadcrumb plugin but also 16 themes by the same author if the plugin is enabled. These themes include Alchemist, Alchemist PRO, Izabel, Izabel PRO, Chique, Chique PRO, Clean Enterprise, Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, and Higher Education PRO.

Recommendations For versions prior to 1.5.4, update the Catch Breadcrumb plugin to version 1.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the s parameter in search queries until the plugin is updated.