Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1.
Published: 2026-02-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation leading to stored cross‑site scripting in the Ajay Better Search WordPress plugin. Malicious scripts are injected into the plugin’s data store and executed when users view the affected content, potentially exposing audit or business data, stealing credentials, or defacing the site. The weakness is classified as CWE‑79.

Affected Systems

The affected product is the WordPress Better Search plugin from Ajay, all releases from the earliest available version through 4.2.1. Users with the ability to provide input to the plugin—such as content editors or site administrators—are at risk if they operate a site running any of these versions.

Risk and Exploitability

With a CVSS score of 5.9 the flaw represents moderate severity, while an EPSS of less than 1% indicates a low likelihood of widespread exploitation at present. The plugin’s web‑based interface is the likely attack vector; an attacker who can submit content that is subsequently displayed to other users can trigger the stored XSS. The flaw is not listed in the CISA KEV catalog, but because it persists in stored data it can continue to affect sites until the plugin is updated or removed.

Generated by OpenCVE AI on April 16, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Better Search plugin to version 4.2.2 or later, where the input sanitization fix has been applied.
  • If an upgrade is not immediately possible, disable or uninstall the plugin to prevent the stored XSS from being triggered.
  • If disabling is not an option, review existing stored data for malicious scripts and cleanse it, ensuring only trusted users can submit content to the plugin.

Generated by OpenCVE AI on April 16, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1.
Title WordPress Better Search plugin <= 4.2.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:30.459Z

Reserved: 2026-01-28T09:50:05.801Z

Link: CVE-2026-24938

cve-icon Vulnrichment

Updated: 2026-02-03T14:37:11.533Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:15.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:30:20Z

Weaknesses