{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0694", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-07T21:02:43.237Z", "datePublished": "2026-01-14T05:28:07.738Z", "dateUpdated": "2026-04-08T16:47:51.896Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:51.896Z"}, "affected": [{"vendor": "searchwiz", "product": "SearchWiz", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page."}], "title": "SearchWiz <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616"}, {"url": "https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}, {"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}, {"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "timeline": [{"time": "2026-01-13T16:43:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T19:55:15.815528Z", "id": "CVE-2026-0694", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:58:43.596Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0694", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T19:55:15.815528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:58:40.273Z"}}], "cna": {"title": "SearchWiz <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}, {"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}, {"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "searchwiz", "product": "SearchWiz", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T16:43:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616"}, {"url": "https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616"}], "descriptions": [{"lang": "en", "value": "The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-14T05:28:07.738Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0694", "state": "PUBLISHED", "dateUpdated": "2026-01-15T19:58:43.596Z", "dateReserved": "2026-01-07T21:02:43.237Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T05:28:07.738Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page."}, {"lang": "es", "value": "El plugin SearchWiz para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los t\u00edtulos de las publicaciones en los resultados de b\u00fasqueda en todas las versiones hasta la 1.0.0, inclusive. Esto se debe a que el plugin utiliza `esc_attr()` en lugar de `esc_html()` al mostrar los t\u00edtulos de las publicaciones en los resultados de b\u00fasqueda. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en los t\u00edtulos de las publicaciones que se ejecutar\u00e1n cada vez que un usuario realice una b\u00fasqueda y vea la p\u00e1gina de resultados de b\u00fasqueda."}], "id": "CVE-2026-0694", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T06:15:55.500", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:13:11.123578+00:00", "value": {"mitigation_remediation": ["Update SearchWiz to the latest available version that fixes the XSS issue.", "Remove or sanitize any post titles that were added with malicious content before the update.", "Restrict the Contributor role to limit the ability to edit post titles, or use a stricter role that requires editorial approval."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting in SearchWiz"}, "threat_synthesis": {"affected_systems": "WordPress sites running the SearchWiz plugin version 1.0.0 or earlier are affected. The vulnerability does not apply to newer releases (if any).", "description_and_impact": "The SearchWiz plugin for WordPress contains a Stored Cross\u2011Site Scripting flaw that allows authenticated users with contributor privileges to inject malicious scripts into post titles displayed in search results. The plugin incorrectly uses esc_attr() instead of esc_html() when rendering these titles, meaning that any JavaScript embedded in a title will be executed in the browser of every user who performs a search. Although the bug is limited to authenticated users, the injected code can steal session cookies, deface content, or redirect victims to malicious sites.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. Exploit probability is very low with an EPSS of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. The attack requires contributor\u2011level or higher privileges and affects only those users who can add or edit posts to introduce the injection. Successful exploitation lets the attacker run arbitrary scripts in the victim\u2019s browser context, enabling hijacking of sessions, defacement, or redirection."}}}}, "created": "2026-01-14T10:48:37.263616+00:00", "updated": "2026-04-15T19:15:12.083564+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}