CVE-2023-2452 in Advanced Woo Search Plugin
Summary
by MITRE • 06/09/2023
The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/10/2026
The Advanced Woo Search plugin for WordPress represents a critical security vulnerability classified as CVE-2023-2452, which exposes systems to stored cross-site scripting attacks through administrative settings. This vulnerability specifically affects versions up to and including 2.77, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of affected websites. The flaw emerges from inadequate input sanitization mechanisms and insufficient output escaping practices that fail to properly validate or sanitize user-supplied data before it is processed and stored within the plugin's administrative interface.
The technical exploitation of this vulnerability requires an attacker to possess administrator-level permissions or higher within the WordPress environment, making it particularly dangerous in multi-site installations where the attack surface expands significantly. The vulnerability manifests when attackers can inject malicious scripts through the plugin's administrative settings, which then get stored and executed whenever legitimate users access pages containing the injected content. This stored nature of the vulnerability means that the malicious payload persists even after the initial injection, creating a long-term threat that can affect multiple users over extended periods. The attack is specifically limited to multi-site installations and environments where the unfiltered_html capability has been disabled, which represents a significant operational constraint that affects the scope of potential impact.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable sophisticated attack vectors including session hijacking, credential theft, and data exfiltration. Attackers can leverage this vulnerability to establish persistent access to compromised systems, potentially leading to full system compromise and unauthorized access to sensitive customer data. The vulnerability's classification aligns with CWE-79, which addresses cross-site scripting flaws in web applications, and represents a direct violation of secure coding practices that require proper input validation and output encoding. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and persistence mechanisms, as attackers can maintain access through the stored malicious scripts.
Mitigation strategies should prioritize immediate plugin updates to versions that address the identified sanitization and escaping deficiencies, while also implementing additional security controls such as restricting administrative access to trusted personnel only. Organizations should consider implementing web application firewalls to detect and block malicious script injections, while also establishing regular security audits to identify similar vulnerabilities in other plugins or themes. The vulnerability highlights the critical importance of proper input validation and output escaping practices, which should be integrated into all web application development processes. Security monitoring should include detection of unusual administrative activities and script injection attempts, while regular vulnerability assessments should be conducted to identify and remediate similar weaknesses in the WordPress ecosystem and associated plugins.