Version 2.5.5 of SearchWP has just been released. It addresses a possible security vulnerability that was disclosed recently and subsequently resulted in an update to WordPress core in version 4.1.2. I want to explain the vulnerability and what it means for users of SearchWP.

This vulnerability only affected admin pages under very specific circumstances: Viewing an admin page while logged in and authenticated with the manage_options capability (unless otherwise customized using searchwp_settings_cap). While extremely unlikely, it is important that all security issues are fixed as soon as possible.

The vulnerability inspired a full audit of SearchWP’s codebase and subsequently version 2.5.5 includes a number of additional escaping, sanitizing, and casting implementations. This was done to improve the overall security of SearchWP should another vulnerability like this one appear over time, but to also clarify the codebase for other developers. While much of the data handling was already in place in SearchWP, having it happen as late as possible is considered best practice.

The underlying issue had to do with unescaped usage of add_query_arg() and all usage has been escaped as of version 2.5.5. URLs generated with add_query_arg() without escaping are possibly susceptible to Cross-site Scripting (XSS) attacks.

This issue was disclosed very publicly as it affects many WordPress plugins and also affected WordPress core. An update to WordPress was released (version 4.1.2) so it is recommended that you update SearchWP, WordPress, and all of your installed plugins/themes as quickly as possible to avoid any issues.

If you have any questions about this update, please contact me.

Other upates in 2.5.5

Version 2.5.5 also brings an improvement to the accuracy of ‘Today’ search stats, better exception handling with failed PDF parsing, and an added French translation.

If you are able to fully translate SearchWP into another language please contact me for a free SearchWP license as a thank you!

Full changelog:


  • [Security Fix] XSS prevention for authenticated users in the admin with add_query_arg
  • [Improved] Security improvements: additional/redundant escaping/preparing/casting so as to harden the code base and improve readability
  • [Improved] More accurate Today stats
  • [Improved] Better translation support
  • [Improved] Better exception handling with PDF parsing
  • [Fix] Better handling of misconfiguration when attributing an excluded post
  • [New] Added French translation

Want to make your search awesome right now?

More than 30,000 sites have chosen SearchWP!

You can utilize all of the content that’s gone unrecognized by native WordPress keyword search instantly with SearchWP.

Get SearchWP for just $99

  • Committed Support
    If you need help, support is fast, friendly, and here for you
  • Streamlined Setup
    Installation and setup that’s optimized for speed
  • Great Documentation
    Helpful, clear, and usable documentation is a priority

See what SearchWP customers have to say

  • “Jonathan went above and beyond to help resolve a support issue on my site. I love SearchWP anyway, it’s the go-to search plugin recommended to all of our clients, but the support offered in this instance was exceptional and very much appreciated.”

  • “What I like is that SearchWP has an easy setup and offers immediate improvement. I also like that Jonathan is honest about the limitations of the product. Over 20K posts/pages and he recommends you look elsewhere for reasonable performance.”

  • “SearchWP searches custom attributes. This is what I needed primarily for my client.”

[wpforms id="3080"]