CVE-2025-14719
Description
The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Relevanssi WordPress plugin before 4.26.0 and Premium before 2.29.0 are vulnerable to SQL injection via an unsanitized parameter, allowing contributors and above to execute arbitrary SQL.
The Relevanssi WordPress plugin and its premium version fail to sanitize and escape a parameter before including it in a SQL statement, leading to a SQL injection vulnerability [1]. This flaw exists in versions before 4.26.0 (free) and 2.29.0 (premium).
The vulnerability can be exploited by authenticated users with contributor-level access or higher, requiring no additional privileges beyond those already assigned. The attack involves manipulating the unsanitized parameter to inject malicious SQL queries.
Successful exploitation allows an attacker to execute arbitrary SQL commands against the database, potentially extracting sensitive data, modifying database content, or compromising the site further.
Both the free and premium versions of the plugin have addressed this issue in releases 4.26.0 and 2.29.0 respectively. Users are strongly advised to update to the latest versions to mitigate the risk [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.29.0
- Range: <4.26.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.