CVE-2026-0694

Name of the Vulnerable Software and Affected Versions SearchWiz versions prior to 1.0.1

Description The SearchWiz plugin for WordPress is susceptible to Stored Cross-Site Scripting through post titles displayed in search results. The issue arises because the plugin utilizes esc attr() instead of esc html() when displaying post titles, allowing authenticated attackers with contributor-level access or higher to inject malicious web scripts into post titles. These scripts execute when a user performs a search and views the resulting page. The vulnerable component is the handling of post titles in search results.

Recommendations Update SearchWiz to version 1.0.1 or later.