{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24938", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:05.801Z", "datePublished": "2026-02-03T14:08:32.191Z", "dateUpdated": "2026-04-28T16:14:50.970Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "better-search", "product": "Better Search", "vendor": "Ajay", "versions": [{"changes": [{"at": "4.2.2", "status": "unaffected"}], "lessThanOrEqual": "4.2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:57.622Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.<p>This issue affects Better Search: from n/a through <= 4.2.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.970Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/better-search/vulnerability/wordpress-better-search-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Better Search plugin <= 4.2.1 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T14:38:47.634481Z", "id": "CVE-2026-24938", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:44:59.531Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T14:38:47.634481Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T14:37:11.533Z"}}], "cna": {"title": "WordPress Better Search plugin <= 4.2.1 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ajay", "product": "Better Search", "versions": [{"status": "affected", "changes": [{"at": "4.2.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.2.1"}], "packageName": "better-search", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:57.622Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/better-search/vulnerability/wordpress-better-search-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.<p>This issue affects Better Search: from n/a through <= 4.2.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.970Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24938", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:50.970Z", "dateReserved": "2026-01-28T09:50:05.801Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:32.191Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Ajay Better Search better-search permite XSS Almacenado. Este problema afecta a Better Search: desde n/a hasta &lt;= 4.2.1."}], "id": "CVE-2026-24938", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:15.130", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/better-search/vulnerability/wordpress-better-search-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:21:43.660061+00:00", "value": {"mitigation_remediation": ["Upgrade the Better Search plugin to version 4.2.2 or later, where the input sanitization fix has been applied.", "If an upgrade is not immediately possible, disable or uninstall the plugin to prevent the stored XSS from being triggered.", "If disabling is not an option, review existing stored data for malicious scripts and cleanse it, ensuring only trusted users can submit content to the plugin."], "summary": {"action": "Apply Patch", "impact": "Stored cross-site scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Better Search plugin from Ajay, all releases from the earliest available version through 4.2.1. Users with the ability to provide input to the plugin\u2014such as content editors or site administrators\u2014are at risk if they operate a site running any of these versions.", "description_and_impact": "The vulnerability is an Improper Neutralization of Input During Web Page Generation leading to stored cross\u2011site scripting in the Ajay Better Search WordPress plugin. Malicious scripts are injected into the plugin\u2019s data store and executed when users view the affected content, potentially exposing audit or business data, stealing credentials, or defacing the site. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "With a CVSS score of 5.9 the flaw represents moderate severity, while an EPSS of less than 1% indicates a low likelihood of widespread exploitation at present. The plugin\u2019s web\u2011based interface is the likely attack vector; an attacker who can submit content that is subsequently displayed to other users can trigger the stored XSS. The flaw is not listed in the CISA KEV catalog, but because it persists in stored data it can continue to affect sites until the plugin is updated or removed."}}}}, "created": "2026-02-04T12:14:01.606866+00:00", "updated": "2026-04-16T01:30:20.309440+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}