Search Unleashed 0.2.10 JavaScript injection (Wordpress plugin)

Hello all,

There is a bug in "Log" function of Search Unleashed by John Godley,
version 0.2.10.

This plug-in stores search queries but does not validates stored data
and put them back "raw" to browser.

HTML and Java Script can be injected with search request:
/blog/?s=%3Ctextarea+onmouseover%3D%22alert%28document.cookie%29%3B%22%3E%3C%2Ftextarea%3E&searchbutton=go%21

To execute injected code admin have to go to Manage -> Search
Unleashed -> Log (and in my example point his cursor to text area).

Author was notified by his bug tracker:
http://urbangiraffe.com/tracker/issues/show/60

Regards,

Krzysztof Burghardt <[email protected]>
http://www.burghardt.pl/