WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Plugin Relevanssi Premium-A Better Search Multiple Vulnerabilities (1.14.4)

Description

WordPress Plugin Relevanssi Premium-A Better Search is prone to multiple vulnerabilities, including SQL injection and arbitrary code execution vulnerabilities. Exploiting these issues could allow an attacker to access or modify data, to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, or to compromise a vulnerable system. WordPress Plugin Relevanssi Premium-A Better Search version 1.14.4 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.14.6.1 or latest

References

https://security.dxw.com/advisories/sql-injection-and-unserialization-vulnerability-in-relevanssi-premium-could-allow-admins-to-execute-arbitrary-code-in-some-circumstances/

https://security.dxw.com/advisories/unserialization-vulnerability-in-relevanssi-premium-could-allow-admins-to-execute-arbitrary-code-in-some-circumstances/

http://seclists.org/fulldisclosure/2016/Nov/109

http://seclists.org/fulldisclosure/2016/Nov/108

https://packetstormsecurity.com/files/139802/Relevanssi-Premium-1.14.4-Code-Execution.html

https://packetstormsecurity.com/files/139803/Relevanssi-Premium-1.14.4-SQL-Injection.html

Related Vulnerabilities

WordPress Plugin GNUCommerce Cross-Site Scripting (1.4.1)

WordPress Plugin YITH WooCommerce Order Tracking Security Bypass (1.2.10)

WordPress Plugin Slideshow Gallery LITE Cross-Site Scripting (1.5.3.4)

SharePoint CVE-2020-0850 Vulnerability (CVE-2020-0850)

WordPress Plugin Xerte Online 'save.php' Arbitrary File Upload (0.32)

Severity

High

Classification

CWE-89 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update