CVE-2026-11356 in Ivory Search Plugin
Summary
by MITRE • 06/27/2026
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
The vulnerability identified in the Ivory Search WordPress plugin represents a critical stored cross-site scripting flaw that undermines the security integrity of WordPress installations. This weakness exists within plugin versions up to and including 5.5.15, where the application fails to properly sanitize user inputs submitted through the menu_title and menu_magnifier_color configuration parameters. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting conditions in web applications, making it a prime target for attackers seeking to exploit administrative privileges within WordPress environments.
The technical implementation of this flaw stems from inadequate input validation mechanisms that allow malicious payloads to be stored within the plugin's settings database fields without proper sanitization. When administrators configure these specific parameters through the plugin interface, the input values are not sufficiently escaped before being rendered back to users accessing affected pages. This creates a persistent injection point where attacker-controlled scripts can be executed in the context of authenticated user sessions, particularly those with administrator privileges.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with elevated privileges within the WordPress environment. Since the vulnerability requires only administrator-level access or higher to exploit, successful attacks could lead to complete compromise of the affected WordPress installation. Attackers can leverage this weakness to perform actions such as modifying content, stealing session cookies, accessing sensitive data, or even installing backdoors for persistent access. The stored nature of the XSS means that once the malicious input is injected, it will automatically execute whenever any user accesses pages containing the compromised settings.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1548.003 which covers Abuse of Cloud Infrastructure and T1213.002 covering Data from Information Repositories, as it enables unauthorized access to stored plugin configurations and potentially broader system information. The attack vector requires authenticated access, making it particularly dangerous in environments where administrators may have less stringent security practices or where credential compromise occurs through other means.
Mitigation strategies should prioritize immediate patching to versions beyond 5.5.15 where the sanitization issues have been addressed. Organizations should implement principle of least privilege controls and regularly audit plugin configurations to identify any malicious entries that may have already been injected. Network monitoring solutions can help detect anomalous script execution patterns, while input validation improvements in the plugin codebase should ensure that all user-supplied data undergoes proper sanitization before being stored or rendered back to users. Security teams should also consider implementing web application firewalls and content security policies to provide additional layers of protection against similar vulnerabilities in other components of their WordPress installations.