Relevanssi Live Ajax Search < 2.5 – Unauthenticated WP_Query Argument Injection | CVE 2024-7573 | Plugin Vulnerabilities

Description

The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts.

Affects Plugins

relevanssi-live-ajax-search

Fixed in 2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcb648a-4a3e-4645-bd62-4415b1cf6516

Classification

Type

INJECTION

OWASP top 10

CVSS

Miscellaneous

Original Researcher

scottaglia

Verified

No

WPVDB ID

07482da9-12fe-4538-9e3e-0d2598aa93c9

Timeline

Publicly Published

2024-08-27 (about 1 year ago)

Added

2024-08-27 (about 1 year ago)

Last Updated

2024-08-27 (about 1 year ago)

Other

Published

Title

Published

2023-06-23

Title

Supsystic Popup < 1.10.19 - Prototype Pollution

Published

2026-04-21

Title

HTTP Headers <= 1.19.2 - Administrator+ CRLF Injection via Custom Header Values

Published

2020-03-16

Title

Newsletter < 6.5.4 - CSV Injection

Published

2022-06-20

Title

WooCommerce < 6.6.0 - Admin+ Stored HTML Injection

Published

2026-03-27

Title

Pagelayer < 2.0.8 - Unauthenticated Email Header Injection via 'email'