CVE-2025-5209: 
WordPress vulnerability analysis and mitigation

The Ivory Search WordPress plugin before version 5.5.10 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-5209. The vulnerability was discovered and disclosed on May 27, 2025, affecting WordPress installations using the Ivory Search plugin. This security issue specifically impacts the plugin's settings functionality, allowing high-privilege users to perform XSS attacks even when unfiltered_html is disabled (WPScan, Wiz).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The CVSS v3.1 base score is 4.8 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This indicates a network-accessible vulnerability requiring high privileges and user interaction. The security flaw exists even when the unfiltered_html capability is disabled for administrative users (NIST NVD, Wiz).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks. The impact is particularly notable as it bypasses the unfiltered_html restriction, which is typically a security control for preventing such attacks (WPScan).

The vulnerability has been patched in version 5.5.10 of the Ivory Search plugin. Website administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan, Wiz).