CVE-2025-14719
BaseFortify
Publication date: 2026-01-07
Last updated on: 2026-01-08
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| relevanssi | relevanssi | to 4.26.0 (exc) |
| relevanssi | relevanssi_premium | to 2.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14719 is a SQL injection vulnerability in the Relevanssi WordPress plugins (Free versions below 4.26.0 and Premium versions below 2.29.0). The plugins do not properly sanitize and escape user-supplied parameters before using them in SQL queries. This allows users with Contributor or higher roles to inject malicious SQL code via crafted requests, potentially manipulating the database. [1]
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor or higher roles to perform SQL injection attacks, which can lead to unauthorized database access, data manipulation, or denial of service by causing delays in the database response. This can compromise the integrity and availability of the WordPress site data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by logging in as a user with Contributor or higher role and sending a crafted POST request to the WordPress admin AJAX endpoint `/wp-admin/admin-ajax.php` with manipulated `tax_query` parameters. For example, sending a request that includes a SQL payload such as `SLEEP(5)` can induce a delay, confirming the presence of the SQL injection vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the Relevanssi WordPress plugin to version 4.26.0 or later, or the Relevanssi Premium plugin to version 2.29.0 or later, where the issue has been fixed. Additionally, restrict Contributor and higher roles from sending untrusted input to the affected endpoints until the update is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this SQL injection vulnerability in the Relevanssi WordPress plugin affects compliance with common standards and regulations such as GDPR or HIPAA.