The plugin does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability.
On a page or post with a search form, add the following url query parameter: ?%22%3E%3Cscript%3Ealert(1)%3C/script%3E
CPE | Name | Operator | Version |
---|---|---|---|
themify-ptb-search | lt | 1.4.0 |