Executive Summary

CVE-2025-14719 is a SQL injection vulnerability in the Relevanssi WordPress plugins (Free versions below 4.26.0 and Premium versions below 2.29.0). The plugins do not properly sanitize and escape user-supplied parameters before using them in SQL queries. This allows users with Contributor or higher roles to inject malicious SQL code via crafted requests, potentially manipulating the database. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with Contributor or higher roles to perform SQL injection attacks, which can lead to unauthorized database access, data manipulation, or denial of service by causing delays in the database response. This can compromise the integrity and availability of the WordPress site data. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by logging in as a user with Contributor or higher role and sending a crafted POST request to the WordPress admin AJAX endpoint `/wp-admin/admin-ajax.php` with manipulated `tax_query` parameters. For example, sending a request that includes a SQL payload such as `SLEEP(5)` can induce a delay, confirming the presence of the SQL injection vulnerability. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, update the Relevanssi WordPress plugin to version 4.26.0 or later, or the Relevanssi Premium plugin to version 2.29.0 or later, where the issue has been fixed. Additionally, restrict Contributor and higher roles from sending untrusted input to the affected endpoints until the update is applied. [1]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not specify how this SQL injection vulnerability in the Relevanssi WordPress plugin affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0