CVE-2025-4054
Description
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and including, 4.24.3 (Free) and <= 2.27.4 (Premium), due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the search results.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Relevanssi plugin for WordPress is vulnerable to stored cross-site scripting via the highlights functionality, allowing unauthenticated attackers to inject arbitrary web scripts into search result pages.
Vulnerability
Overview
The Relevanssi – A Better Search plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its highlights functionality. The flaw arises from insufficient input sanitization and output escaping, allowing untrusted data to be stored and later rendered in search result pages.
Exploitation
An unauthenticated attacker can exploit this vulnerability by injecting arbitrary web scripts into the search results through the highlights feature. When a user accesses a page that displays these search results, the injected script executes in the context of the victim's browser. No special privileges or authentication are required.
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the browsers of users viewing the compromised search results. This can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data and site integrity.
Mitigation
The vulnerability affects all versions up to and including 4.24.3 (Free) and <= 2.27.4 (Premium). Users should upgrade to the latest patched version of the plugin. For installation and update instructions, refer to the plugin's official documentation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.27.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/relevanssi/tags/4.24.3/lib/excerpts-highlights.phpnvd
- plugins.trac.wordpress.org/browser/relevanssi/tags/4.24.3/lib/excerpts-highlights.phpnvd
- plugins.trac.wordpress.org/changeset/3283795/nvd
- www.relevanssi.com/user-manual/installing-relevanssi-and-adjusting-the-settings/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6f77f10b-f142-4859-a941-0fbde6ef7fdbnvd
News mentions
0No linked articles in our index yet.