CVE-2026-0694

CVSS v3.1

6.4

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using

esc attr()

instead of

esc html()

when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-0694

Affected Products

Searchwiz

CVE-2026-0694

Weakness Enumeration

Related Identifiers

Affected Products

References · 4