CVE-2022-0780

Name of the Vulnerable Software and Affected Versions SearchIQ WordPress plugin versions prior to 3.9

Description The issue allows unauthenticated attackers to access the siq ajax AJAX action due to a flag that disables the verification of CSRF nonces. This enables them to perform Cross-Site Scripting attacks because of the lack of sanitization and escaping in the customCss parameter.

Recommendations For versions prior to 3.9, update to version 3.9 or later to resolve the issue. As a temporary workaround, consider disabling the siq ajax AJAX action until a patch is available. Restrict access to the customCss parameter in the affected AJAX endpoint to minimize the risk of exploitation.