CVE-2025-4054: 
WordPress vulnerability analysis and mitigation

The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the highlights functionality in versions up to and including 4.24.3. The vulnerability was discovered and disclosed in May 2025, affecting all installations of the plugin that haven't been updated to version 4.24.4 (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping in the highlights functionality. This security flaw allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page via the search results. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, Wiz).

The vulnerability allows unauthenticated attackers to inject malicious scripts that execute in users' browsers when they view search results. This could lead to potential data theft, session hijacking, or other client-side attacks against users who access search results containing the injected scripts (Wiz).

The vulnerability has been patched in version 4.24.4. Site administrators are strongly advised to update to this version immediately. The update includes security fixes to prevent XSS attacks in comments when highlighting post content (WordPress Plugin).