The Stock in & out WordPress plugin through 1.0.4 has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue
CPE | Name | Operator | Version |
---|---|---|---|
stock_in_\\&_out | le | 1.0.4 |