CVE-2025-4054 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Relevanssi – A Better Search' developed by msaari. This vulnerability exists in all versions up to and including 4.24.3. The root cause is insufficient input sanitization and output escaping in the highlights functionality of the plugin. Specifically, unauthenticated attackers can inject arbitrary malicious JavaScript code into pages that are rendered as part of search results. When any user accesses a search result page containing the injected script, the malicious code executes in their browser context. This can lead to theft of session cookies, user impersonation, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79, which is improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, no impact on availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was reserved on April 28, 2025, and published on May 7, 2025. The plugin is widely used in WordPress sites to enhance search capabilities, making this vulnerability relevant to many websites that rely on it for search functionality.

For European organizations, this vulnerability poses a significant risk especially to those using WordPress sites with the Relevanssi plugin enabled. Attackers can exploit this flaw to execute malicious scripts in the browsers of site visitors, including employees, customers, or partners. This can lead to session hijacking, unauthorized access to sensitive information, or distribution of malware. Organizations in sectors such as e-commerce, government, healthcare, and finance that rely on WordPress for public-facing websites or intranets are particularly at risk. The scope of impact includes potential data breaches, reputational damage, and regulatory non-compliance under GDPR if personal data is compromised. Since the vulnerability requires user interaction (visiting a maliciously crafted search result), phishing or social engineering campaigns could be used to lure victims. The cross-site scripting can also be leveraged to bypass same-origin policies, potentially enabling further attacks within the affected domain. Although the CVSS score is medium, the change in scope and the ability for unauthenticated attackers to inject scripts without privileges increases the threat level for organizations with high web traffic and sensitive user bases.

1. Immediate mitigation should include disabling the highlights functionality in the Relevanssi plugin if feasible until a patch is released. 2. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious input patterns targeting the search functionality, especially script tags or event handlers. 3. Apply strict Content Security Policy (CSP) headers to restrict execution of inline scripts and limit sources of executable code on the website. 4. Regularly monitor website logs and user reports for unusual behavior or complaints related to search results. 5. Educate site administrators and content managers about the risk and encourage prompt updates once a patch is available. 6. Conduct internal security testing focusing on input validation and output encoding in the search feature. 7. Consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real time. 8. Review and harden user session management to reduce impact if session tokens are compromised. 9. For organizations with multiple WordPress instances, prioritize scanning and patching those exposed to public internet. 10. Engage with the plugin vendor or community to track patch releases and security advisories.