CVE-2025-4396 is a high-severity SQL Injection vulnerability affecting the Relevanssi – A Better Search plugin for WordPress, including both the Free version up to 4.24.4 and the Premium version up to 2.27.4. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), specifically through the 'cats' and 'tags' query parameters. These parameters are insufficiently escaped and the underlying SQL queries are not properly prepared, allowing unauthenticated attackers to inject malicious SQL code. This injection is time-based, meaning attackers can infer data by measuring response delays, enabling extraction of sensitive database information without direct error messages. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 score is 7.5, reflecting high impact on confidentiality with no impact on integrity or availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the widespread use of WordPress and Relevanssi make this a significant threat. The plugin’s role in enhancing WordPress search functionality means that many websites, including those of European organizations, could be affected if they use vulnerable versions. Attackers could leverage this flaw to extract sensitive data such as user credentials, internal content, or configuration details, potentially leading to further compromise or data breaches.

For European organizations, the impact of this vulnerability can be substantial. Many European companies and institutions rely on WordPress for their websites and intranets, and Relevanssi is a popular plugin to improve search capabilities. Exploitation could lead to unauthorized disclosure of sensitive information stored in the WordPress database, including personal data protected under GDPR. This could result in regulatory penalties, reputational damage, and loss of customer trust. Additionally, extracted data might be used to facilitate further attacks such as privilege escalation or lateral movement within networks. Given the unauthenticated nature of the exploit, attackers can target publicly accessible websites without needing credentials, increasing the risk of widespread exploitation. The time-based nature of the injection may allow attackers to remain stealthy, complicating detection efforts. Organizations in sectors with high data sensitivity, such as finance, healthcare, and government, are particularly at risk due to the potential exposure of confidential information.

To mitigate this vulnerability, European organizations should immediately update the Relevanssi plugin to a patched version once available. In the absence of an official patch, organizations can implement temporary mitigations such as deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'cats' and 'tags' parameters. Reviewing and restricting access to the affected endpoints can reduce exposure. Additionally, organizations should audit their WordPress installations to identify all instances of the Relevanssi plugin and verify versions. Employing database activity monitoring can help detect suspicious queries indicative of exploitation attempts. It is also advisable to enforce the principle of least privilege on database accounts used by WordPress to limit the impact of any successful injection. Regular backups and incident response plans should be updated to prepare for potential data breaches. Finally, organizations should monitor threat intelligence feeds for any emerging exploits related to CVE-2025-4396.