If logged in as an administrator on any site, you can go to Settings > Relevanssi Premium and potentially extract all values in the database including password hashes and user activation tokens.

This is achieved by a SQL injection based on the fact that some of the configuration options are appended into a SQL query in a unsafe way.

The configuration page contains the following code, that allows the user to set the option relevanssi_post_type_weights to any value:

function update_relevanssi_options() {
    ....
    foreach ($_REQUEST as $key => $value) {
        if (substr($key, 0, strlen('relevanssi_weight_')) == 'relevanssi_weight_') {
            $type = substr($key, strlen('relevanssi_weight_'));
            $post_type_weights[$type] = $value;
        }
        ....
    }
    if (count($post_type_weights) > 0) {
        update_option('relevanssi_post_type_weights', $post_type_weights);
    }
    ....
}

Now when a search is made, the function relevanssi_search is called, this appends the user controled value into the SQL query:

$post_type_weights = get_option('relevanssi_post_type_weights');

...

!empty($post_type_weights['post_tag']) ? $tag = $post_type_weights['post_tag'] : $tag = $relevanssi_variables['post_type_weight_defaults']['post_tag'];

!empty($post_type_weights['category']) ? $cat = $post_type_weights['category'] : $cat = $relevanssi_variables['post_type_weight_defaults']['category'];

$query = "SELECT relevanssi.*, relevanssi.title * $title_boost +
          relevanssi.content + relevanssi.comment * $comment_boost +
          relevanssi.tag * $tag + relevanssi.link * $link_boost +
          relevanssi.author + relevanssi.category * $cat + relevanssi.excerpt +
          relevanssi.taxonomy + relevanssi.customfield + relevanssi.mysqlcolumn AS tf
          FROM $relevanssi_table AS relevanssi $query_join
          WHERE $term_cond $query_restrictions";

Current state: Fixed