Threat Entry Updated 2026-03-23

CVE-2026-2837 - Advanced Search Plugin

The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Advanced Search

CVE-2026-2837

MEDIUM CVSS 4.4 2026-03-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-08

CVE-2024-3265 - Advanced Search Plugin

The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations.

PLUGIN Advanced Search

CVE-2024-3265

MEDIUM CVSS 4.7 2024-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-08

CVE-2024-2739 - Advanced Search Plugin

The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Advanced Search

CVE-2024-2739

HIGH CVSS 8.7 2024-04-15

Risk Score

Open Full Technical Breakdown