Description
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-31
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross‑Site Scripting via the Excerpt Highlights feature. Inadequate input sanitization and output escaping allow an attacker to embed arbitrary JavaScript that will execute whenever a user views an injected page, enabling credential theft, session hijacking, defacement, or deflection of traffic. The vulnerability is exploitable without any authentication and can be triggered when the attacker submits content that is saved in the excerpt highlights field.

Affected Systems

The flaw affects all free Relevanssi plugin versions up to and including 4.24.5 and all Relevanssi Premium versions up to and including 2.27.6. Administrators of WordPress sites running any of these releases are at risk.

Risk and Exploitability

With a CVSS score of 4.7 the vulnerability scores as moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at the time of this analysis, and the flaw is not listed in the CISA KEV catalog. Because it can be triggered by unauthenticated users who supply input stored in the excerpt highlights field, an attacker can plant malicious scripts that will execute in the browsers of any user who visits the affected page. The lack of authentication requirement and the widespread usage of the plugin amplify the potential impact.

Generated by OpenCVE AI on April 21, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Relevanssi plugin (free and Premium) to the latest release that includes the stored XSS fix for Excerpt Highlights
  • If an immediate upgrade is not possible, disable or remove the Excerpt Highlights feature to eliminate the injection vector
  • Ensure that any excerpt highlight content is properly sanitized and escaped on output, following best practices for preventing HTML and JavaScript injection (CWE-79)

Generated by OpenCVE AI on April 21, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16540 The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 May 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Relevanssi <= 4.24.5 (Free) and <= 2.27.6 (Premium) - Unauthenticated Stored Cross-Site Scripting via Excerpt Highlights
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:35:22.720Z

Reserved: 2025-05-20T19:13:58.866Z

Link: CVE-2025-5016

cve-icon Vulnrichment

Updated: 2025-06-02T15:18:54.016Z

cve-icon NVD

Status : Deferred

Published: 2025-05-31T04:15:25.893

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')