WP-Safety

Ivory Search – WordPress Search Plugin Security & Risk Analysis

wordpress.org/plugins/add-search-to-menu

Advanced WordPress custom search plugin. Provides Search Form Customizer, WooCommerce Search, AJAX Search & Live Search support!

100K active installs v5.5.14 PHP 5.2.4+ WP 3.9+ Updated Jan 22, 2026
ajax-searchfile-searchimage-searchsearchwoocommerce-search
95
A · Safe
CVEs total11
Unpatched0
Last CVEJan 27, 2026
Plugin page Download
Safety Verdict

Is Ivory Search – WordPress Search Plugin Safe to Use in 2026?

Generally Safe

Score 95/100

Ivory Search – WordPress Search Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Jan 27, 2026Updated 2mo ago
Risk Assessment

The "add-search-to-menu" plugin, version 5.5.14, exhibits a mixed security posture. While it shows strengths in database query sanitization with 97% prepared statements and a high rate of output escaping (82%), significant concerns arise from its attack surface. A substantial portion of its entry points, specifically 4 out of 5, lack proper authentication checks. This is further compounded by 4 identified flows with unsanitized paths during taint analysis, although no critical or high severity issues were found in this specific analysis. The plugin's vulnerability history is a major red flag, with a total of 11 known medium-severity CVEs, including past instances of Cross-site Scripting, Sensitive Information Exposure, and Missing Authorization. The fact that the last vulnerability was in 2026, while the current version is 5.5.14 (which suggests it might be a future version or the vulnerability data is from a future context, but the principle of past issues remains), highlights a recurring pattern of security weaknesses that have required patching. Despite the current static analysis not revealing critical vulnerabilities, the historical pattern and the unprotected attack surface warrant caution.

Key Concerns

  • 4 AJAX handlers without auth checks
  • 4 flows with unsanitized paths
  • 11 total known CVEs (medium severity)
  • Bundled library Freemius v1.0
Vulnerabilities
11

Ivory Search – WordPress Search Plugin Security Vulnerabilities

CVEs by Year

4 CVEs in 2021
2021
2 CVEs in 2022
2022
2 CVEs in 2024
2024
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
11

11 total CVEs

CVE-2026-1053medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search <= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse' and 'nothing_found_text' Parameters

Jan 27, 2026 Patched in 5.5.14 (1d)
CVE-2025-63069medium · 5.3Missing Authorization

Ivory Search <= 5.5.12 - Missing Authorization

Sep 28, 2025 Patched in 5.5.13 (75d)
CVE-2025-5209medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search – WordPress Search Plugin <= 5.5.9 - Authenticated (Admin+) Stored Cross-Site Scripting

May 27, 2025 Patched in 5.5.10 (44d)
CVE-2024-6835medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Ivory Search – WordPress Search Plugin <= 5.5.6 - Information Exposure via AJAX Search Form

Sep 4, 2024 Patched in 5.5.7 (1d)
CVE-2024-3233medium · 4.3Missing Authorization

Ivory Search – WordPress Search Plugin <= 5.5.5 - Missing Authorization to Authenticated (Subscriber+) Index Creation

Apr 12, 2024 Patched in 5.5.6 (21d)
WF-a1513296-f7f6-468c-ac96-5f55812d943e-add-search-to-menumedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search <= 5.4.6 - Reflected Cross-Site Scripting

Jul 4, 2022 Patched in 5.4.7 (568d)
CVE-2021-25105medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search <= 5.4 - Multiple Admin+ Stored Cross-Site Scripting

Jan 10, 2022 Patched in 5.4.1 (743d)
WF-35b9f37c-69e1-437a-97dd-3d3e7a8cd86e-add-search-to-menumedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search <= 4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 2, 2021 Patched in 4.8 (812d)
CVE-2021-36869medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search <= 4.6.6 - Reflected Cross-Site Scripting

Oct 1, 2021 Patched in 4.7 (844d)
CVE-2021-24234medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search <= 4.6 - Reflected Cross Site Scripting

Mar 30, 2021 Patched in 4.6.1 (1029d)
WF-6da0a85d-0c6f-40ae-8a3d-85222f0e7cc5-add-search-to-menumedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ivory Search – WordPress Search Plugin <= 4.5.10 - Reflected Cross-Site Scripting

Feb 1, 2021 Patched in 4.5.11 (1086d)
Code Analysis
Analyzed Mar 16, 2026

Ivory Search – WordPress Search Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
33 prepared
Unescaped Output
237
1098 escaped
Nonce Checks
13
Capability Checks
24
File Operations
1
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

97% prepared34 total queries

Output Escaping

82% escaped1335 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths
admin_updated_message (admin\class-is-admin.php:371)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Ivory Search – WordPress Search Plugin Attack Surface

Entry Points5
Unprotected4

AJAX Handlers 4

noprivwp_ajax_display_postsincludes\class-is.php:110
authwp_ajax_display_postsincludes\class-is.php:111
authwp_ajax_is_ajax_load_postsincludes\class-is.php:173
noprivwp_ajax_is_ajax_load_postsincludes\class-is.php:174

Shortcodes 1

[ivory-search] includes\class-is-admin-public.php:389
WordPress Hooks 50
actionplugins_loadedadd-search-to-menu.php:172
actionadmin_print_footer_scriptsadmin\class-is-admin.php:68
actioncustomize_registerincludes\class-is-customizer.php:58
actionsave_postincludes\class-is-index-manager.php:246
actiondelete_postincludes\class-is-index-manager.php:247
actionadd_attachmentincludes\class-is-index-manager.php:250
actionedit_attachmentincludes\class-is-index-manager.php:251
actiondelete_attachmentincludes\class-is-index-manager.php:252
actionwp_insert_commentincludes\class-is-index-manager.php:255
actionedit_commentincludes\class-is-index-manager.php:256
actiontrashed_commentincludes\class-is-index-manager.php:257
actiondeleted_commentincludes\class-is-index-manager.php:258
filterget_search_formincludes\class-is-search-form.php:346
actionwidgets_initincludes\class-is-widget.php:118
actioninitincludes\class-is.php:80
actioninitincludes\class-is.php:90
actionbefore_woocommerce_initincludes\class-is.php:91
filterget_search_formincludes\class-is.php:92
actioncustomize_registerincludes\class-is.php:93
filterupload_mimesincludes\class-is.php:94
actionall_admin_noticesincludes\class-is.php:105
actionadmin_footerincludes\class-is.php:106
actionplugin_action_linksincludes\class-is.php:107
filterplugin_row_metaincludes\class-is.php:108
actionadmin_menuincludes\class-is.php:109
actionadmin_enqueue_scriptsincludes\class-is.php:112
actionadmin_initincludes\class-is.php:113
actionis_admin_noticesincludes\class-is.php:114
filtermap_meta_capincludes\class-is.php:115
filteradmin_footer_textincludes\class-is.php:116
actionwp_enqueue_scriptsincludes\class-is.php:139
actionwp_enqueue_scriptsincludes\class-is.php:140
filterquery_varsincludes\class-is.php:141
filterbody_classincludes\class-is.php:142
actionwp_headincludes\class-is.php:152
filterwp_nav_menu_itemsincludes\class-is.php:156
actioninitincludes\class-is.php:159
filterposts_distinct_requestincludes\class-is.php:161
filterposts_joinincludes\class-is.php:162
filterposts_searchincludes\class-is.php:163
actionpre_get_postsincludes\class-is.php:166
actionwp_footerincludes\class-is.php:167
actionwp_headincludes\class-is.php:168
actionparse_queryincludes\class-is.php:169
actioninitincludes\compatibility\class-is-tablepress-compat.php:11
filterplugin_iconincludes\freemius.php:46
filtershow_affiliate_program_noticeincludes\freemius.php:50
actionafter_uninstallincludes\freemius.php:68
filterposts_pre_querypublic\class-is-index-search.php:88
filterthe_postspublic\class-is-public.php:493
Maintenance & Trust

Ivory Search – WordPress Search Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 22, 2026
PHP min version5.2.4
Downloads2.9M

Community Trust

Rating98/100
Number of ratings1,544
Active installs100K
Alternatives

Ivory Search – WordPress Search Plugin Alternatives

FiboSearch – Ajax Search for WooCommerce

FiboSearch – Ajax Search for WooCommerce

ajax-search-for-woocommerce

A
96

The most popular WooCommerce product search plugin. Gives your users a well-designed advanced AJAX search bar with live search suggestions.

100K 3 CVEs
Smart WooCommerce Search

Smart WooCommerce Search

smart-woocommerce-search

A
100

Ideal Product Search plugin for WooCommerce shops that enhances users' experience with a live search feature.

6K 1 CVE
Jetpack Search

Jetpack Search

jetpack-search

A
100

Easily add cloud-powered instant search and filters to your website or WooCommerce store with advanced algorithms that boost your search results based &hellip;

5K No CVEs
Advanced Product Search For WooCommerce

Advanced Product Search For WooCommerce

advanced-product-search-for-woo

A
100

Popup Cart Lite for WooCommerce for WooCommerce plugin that displays popup cart for add to cart action.

4K No CVEs
Magnify – Suggestive Search Plugin

Magnify – Suggestive Search Plugin

magnify-suggestive-search

A
100

Real-time search suggestions that display relevant results as users type. Easy to customize, fast, and responsive on all devices.

3K No CVEs
Developer Profile

Ivory Search – WordPress Search Plugin Developer Profile

Vinod Dalvi

3 plugins · 109K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
475 days
View full developer profile
Detection Fingerprints

How We Detect Ivory Search – WordPress Search Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/add-search-to-menu/admin/css/ivory-search-admin.css/wp-content/plugins/add-search-to-menu/admin/js/ivory-search-admin.js/wp-content/plugins/add-search-to-menu/assets/css/is-frontend.css/wp-content/plugins/add-search-to-menu/assets/js/is-frontend.js/wp-content/plugins/add-search-to-menu/assets/js/is-search.js
Script Paths
/wp-content/plugins/add-search-to-menu/admin/js/ivory-search-admin.js/wp-content/plugins/add-search-to-menu/assets/js/is-frontend.js/wp-content/plugins/add-search-to-menu/assets/js/is-search.js
Version Parameters
add-search-to-menu/admin/css/ivory-search-admin.css?ver=add-search-to-menu/admin/js/ivory-search-admin.js?ver=add-search-to-menu/assets/css/is-frontend.css?ver=add-search-to-menu/assets/js/is-frontend.js?ver=add-search-to-menu/assets/js/is-search.js?ver=

HTML / DOM Fingerprints

CSS Classes
is-search-form-containeris-search-submit-buttonis-search-input-field
HTML Comments
<!-- The main plugin class --><!-- Main Ivory Search Class --><!-- Core singleton class --><!-- Gets the instance of this class -->+16 more
Data Attributes
data-is-search-id
JS Globals
ivory_search_admin_params
FAQ

Frequently Asked Questions about Ivory Search – WordPress Search Plugin