Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lavacode Lava Ajax Search lava-ajax-search allows Stored XSS.This issue affects Lava Ajax Search: from n/a through <= 1.1.9.
Published: 2025-03-11
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw caused by improper input neutralization in the Lava Ajax Search plugin. A malicious user could inject script code that the plugin subsequently stores and renders when search results are displayed to visitors, allowing the injected code to execute in the browsers of any user who views those results. Because the code is persisted, the impact can persist across sessions, enabling data exfiltration, session hijacking, or site defacement.

Affected Systems

The affected product is the Lava Ajax Search plugin from lavacode, impacting all versions up through 1.1.9. Sites running version 1.1.9 or older should verify whether this plugin is installed and consider updating if available.

Risk and Exploitability

With a CVSS score of 5.9 the vulnerability is considered moderate, and its EPSS score of less than 1% indicates a very low exploitation probability. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is that an attacker submits malicious search terms that the plugin stores and later renders, leading to script execution in the browsers of visitors reviewing those search results. Effective mitigation hinges on correcting input handling or restricting the feature until a patch is available.

Generated by OpenCVE AI on May 2, 2026 at 08:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Lava Ajax Search plugin to the latest version that addresses the XSS issue.
  • If an immediate update is not feasible, temporarily disable the plugin or its search functionality until a patched version is released.
  • Review any data stored by the plugin for malicious content and ensure that only users with administrative privileges can add or view such data.

Generated by OpenCVE AI on May 2, 2026 at 08:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7884 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lavacode Lava Ajax Search allows Stored XSS. This issue affects Lava Ajax Search: from n/a through 1.1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lavacode Lava Ajax Search allows Stored XSS. This issue affects Lava Ajax Search: from n/a through 1.1.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lavacode Lava Ajax Search lava-ajax-search allows Stored XSS.This issue affects Lava Ajax Search: from n/a through <= 1.1.9.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00045}

 epss

{'score': 0.00068}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lavacode Lava Ajax Search allows Stored XSS. This issue affects Lava Ajax Search: from n/a through 1.1.9.
Title WordPress Lava Ajax Search plugin <= 1.1.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:51.258Z

Reserved: 2025-03-11T08:10:05.094Z

Link: CVE-2025-28937

cve-icon Vulnrichment

Updated: 2025-03-12T13:43:56.818Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:51.587

Modified: 2026-04-23T15:26:38.320

Link: CVE-2025-28937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses