CVE-2025-5016 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Relevanssi – A Better Search plugin for WordPress, including both the Free and Premium versions up to 4.24.5 and 2.27.6 respectively. The vulnerability arises from improper neutralization of input during web page generation, specifically in the Excerpt Highlights feature. Due to insufficient input sanitization and output escaping, unauthenticated attackers can inject arbitrary JavaScript code into pages generated by the plugin. When any user accesses a page containing the injected script, the malicious code executes in their browser context. This can lead to session hijacking, defacement, redirection to malicious sites, or other client-side attacks. The vulnerability has a CVSS 3.1 base score of 4.7 (medium severity), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No known exploits are reported in the wild yet, and no patches are currently linked. The vulnerability affects all versions up to the specified ones, implying a wide range of installations could be vulnerable. The CWE-79 classification confirms the issue is an XSS flaw due to improper input validation and output encoding during page rendering.

For European organizations using WordPress sites with the Relevanssi plugin, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Attackers could exploit this flaw to execute malicious scripts in the context of site visitors, potentially stealing authentication cookies, redirecting users to phishing sites, or injecting fraudulent content. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and cause operational disruptions if users lose trust in the website. Since the vulnerability requires user interaction (visiting a compromised page), the impact depends on site traffic and user behavior. However, given the popularity of WordPress and Relevanssi in Europe, especially among SMEs and content-heavy sites, the risk is non-negligible. The scope change in CVSS indicates that exploitation could affect components beyond the plugin itself, possibly impacting other integrated systems or user accounts. The medium severity suggests moderate urgency but should not be ignored, especially for sites handling sensitive user data or financial transactions.

1. Immediate mitigation involves disabling the Excerpt Highlights feature in Relevanssi until an official patch is released. 2. Apply strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce XSS impact. 3. Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads to block exploitation attempts. 4. Regularly audit and sanitize all user-generated content and inputs on the WordPress site, especially those processed by Relevanssi. 5. Monitor site logs for unusual requests or injection patterns targeting the Excerpt Highlights functionality. 6. Keep WordPress core and all plugins updated, and subscribe to vendor security advisories for timely patch releases. 7. Educate site administrators and users about the risks of clicking suspicious links and ensure multi-factor authentication is enabled to mitigate session hijacking risks. 8. Once a patch is available, prioritize immediate update of the Relevanssi plugin to the fixed version.