Reflected XSS in Relevanssi Premium when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can


Last revised:

Relevanssi Premium contains a function called relevanssi_didyoumean which is meant to be added to the theme by theme authors.

That function tokenises the search query, and passes each token to a “spellchecker” which looks for terms in the database which are similar. If there are possible spelling mistakes, the tokens are replaced and the function prints “Did you mean:” followed by the new query. The new query is not escaped before being printed.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Install relevanssi-premium and activate it
  • Set the current theme to twentyseventeen
  • Follow the instructions by adding <?php if (function_exists('relevanssi_didyoumean')) { relevanssi_didyoumean(get_search_query(), "<p>Did you mean: ", "</p>", 5); }?> to the file search.php after get_header()
  • Create a post with title “meow” (it may not work if there are any posts containing “meo”)
  • Visit the Relevanssi Premium settings page and click “Build the index”
  • Visit /?s=meo%3Cscript%3Ealert(1)%3C/script%3E using a browser without XSS prevention (i.e. Firefox)

Advisory timeline

  • 2017-02-11: dxw was informed about an XSS on a client site by Nathan Lee Grant
  • 2017-02-13: Investigated and found the cause to be Relevanssi Premium
  • 2017-02-13: Reported to plugin author via
  • 2017-02-13: Vendor’s first reply
  • 2017-02-14: Vendor reported fixed in version 1.14.9
  • 2017-02-15: Requested CVE
  • 2017-02-28: Advisory published
  • 2017-08-23: Received CVE

Mitigation/further actions

Upgrade to version 1.14.9 or later.