Relevanssi WordPress Plugin SQL Injection Vulnerability for Contributor and Above Roles

A SQL injection vulnerability has been identified in the Relevanssi WordPress plugin, affecting versions prior to 4.26.0, and the Relevanssi Premium WordPress plugin, prior to version 2.29.0. The vulnerability arises because the plugins do not properly sanitize and escape a parameter before incorporating it into a SQL statement. This oversight allows users with contributor roles and above to execute SQL injection attacks.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log in as a contributor and navigate to the Relevanssi admin search page. Once there, use the web developer console to send a POST request to the admin-ajax.php file. Include the action parameter set to 'relevanssi_admin_search', and the args parameter crafted to exploit the SQL injection vulnerability, such as by using a payload that includes SQL injection techniques like time-based blind SQL injection. After sending the request, observe the response time for indications of successful exploitation, such as a delayed response that suggests the injected SQL payload was executed.

Remediation

Users are advised to update to the latest versions of the Relevanssi WordPress plugin (4.26.0 or later) and the Relevanssi Premium WordPress plugin (2.29.0 or later).