Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Relevanssi Live Ajax Search by comesio
CVE-2024-7573 (GCVE-0-2024-7573)
Vulnerability from nvd – Published: 2024-08-28 02:05 – Updated: 2026-04-08 17:18
VLAI?
Title
Relevanssi Live Ajax Search <= 2.4 - Unauthenticated WP_Query Argument Injection
Summary
The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts.
Severity ?
5.3 (Medium)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| comesio | Relevanssi Live Ajax Search |
Affected:
0 , ≤ 2.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:relevanssi:relevanssi-live-ajax-search:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "relevanssi-live-ajax-search",
"vendor": "relevanssi",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T13:44:24.447886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T13:48:45.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Relevanssi Live Ajax Search",
"vendor": "comesio",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicola Scattaglia"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the \u0027search\u0027 function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:36.068Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcb648a-4a3e-4645-bd62-4415b1cf6516?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3135074/relevanssi-live-ajax-search"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-13T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Relevanssi Live Ajax Search \u003c= 2.4 - Unauthenticated WP_Query Argument Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7573",
"datePublished": "2024-08-28T02:05:44.057Z",
"dateReserved": "2024-08-06T19:44:06.508Z",
"dateUpdated": "2026-04-08T17:18:36.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7573 (GCVE-0-2024-7573)
Vulnerability from cvelistv5 – Published: 2024-08-28 02:05 – Updated: 2026-04-08 17:18
VLAI?
Title
Relevanssi Live Ajax Search <= 2.4 - Unauthenticated WP_Query Argument Injection
Summary
The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts.
Severity ?
5.3 (Medium)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| comesio | Relevanssi Live Ajax Search |
Affected:
0 , ≤ 2.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:relevanssi:relevanssi-live-ajax-search:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "relevanssi-live-ajax-search",
"vendor": "relevanssi",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T13:44:24.447886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T13:48:45.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Relevanssi Live Ajax Search",
"vendor": "comesio",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicola Scattaglia"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the \u0027search\u0027 function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:36.068Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbcb648a-4a3e-4645-bd62-4415b1cf6516?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3135074/relevanssi-live-ajax-search"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-13T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Relevanssi Live Ajax Search \u003c= 2.4 - Unauthenticated WP_Query Argument Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7573",
"datePublished": "2024-08-28T02:05:44.057Z",
"dateReserved": "2024-08-06T19:44:06.508Z",
"dateUpdated": "2026-04-08T17:18:36.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}