CVE-2023-1435 — Cross-site Scripting in Ajax Search

CWE-79 — Cross-site Scripting CWE-78 — OS Command Injection6 documents6 sources

Severity

6.1MEDIUMNVD

CISA7.2

EPSS

0.1%

top 64.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wp-dreams Ajax Search

Timeline

PublishedApr 24

Latest updateOct 23

Description

The Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDwp-dreams/ajax_search< 4.26.2

🔴Vulnerability Details

CVEList

Ajax Search Lite Pro < 4.26.2 - Multiple Reflected Cross-Site Scripting↗2023-04-24

▶

GHSA

GHSA-854f-g2rv-24mj: The Ajax Search Pro WordPress plugin before 4↗2023-04-24

▶

📋Vendor Advisories

CISA

Cisco IOS XE Web UI Command Injection Vulnerability↗2023-10-23

▶