Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense search-with-typesense allows Stored XSS.This issue affects Search with Typesense: from n/a through <= 2.0.10.
Published: 2025-06-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Improper Neutralization of Input During Web Page Generation (CWE‑79) in the CodeManas Search with Typesense WordPress plugin, allowing attackers to store malicious script payloads that are later executed by users when they view affected pages. This stored XSS causes malicious scripts to run in the context of site visitors.

Affected Systems

WordPress websites that have installed the CodeManas Search with Typesense plugin version 2.0.10 or earlier are affected, as the vulnerability is present in all releases up to and including that version.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of <1% suggests a very low probability of exploitation at this time; the vulnerability is not listed in the CISA KEV catalog. It is inferred that attackers would need to provide malicious input that the plugin stores, which is typically achieved through search queries or form submissions. Because it is stored XSS, once injected it can affect any visitor who loads the compromised content.

Generated by OpenCVE AI on April 30, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Search with Typesense plugin to version 2.0.11 or later to eliminate the vulnerability.
  • Configure the plugin to enforce strict input validation, allowing only alphanumeric characters and disallowing script tags if a configuration option exists.
  • Implement a Content Security Policy that blocks inline script execution and restricts script sources to trusted origins.
  • Monitor web application logs for anomalous script injection attempts and confirm that the vulnerability no longer persists in stored data.

Generated by OpenCVE AI on April 30, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17264 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense allows Stored XSS. This issue affects Search with Typesense: from n/a through 2.0.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense allows Stored XSS. This issue affects Search with Typesense: from n/a through 2.0.10. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense search-with-typesense allows Stored XSS.This issue affects Search with Typesense: from n/a through <= 2.0.10.
Title WordPress Search with Typesense <= 2.0.10 - Cross Site Scripting (XSS) Vulnerability WordPress Search with Typesense plugin <= 2.0.10 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense allows Stored XSS. This issue affects Search with Typesense: from n/a through 2.0.10.
Title WordPress Search with Typesense <= 2.0.10 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Codemanas Search With Typesense
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.794Z

Reserved: 2025-06-04T09:42:00.389Z

Link: CVE-2025-49304

cve-icon Vulnrichment

Updated: 2025-06-06T15:39:26.494Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:46.003

Modified: 2026-04-23T15:31:25.650

Link: CVE-2025-49304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:45:21Z

Weaknesses