Reflected XSS in Relevanssi Premium when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can

Score Vector Complexity Authentication Confidentiality Integrity Availability
5.8
Medium
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

Relevanssi Premium contains a function called relevanssi_didyoumean which is meant to be added to the theme by theme authors.

That function tokenises the search query, and passes each token to a “spellchecker” which looks for terms in the database which are similar. If there are possible spelling mistakes, the tokens are replaced and the function prints “Did you mean:” followed by the new query. The new query is not escaped before being printed.

Proof of concept

  • Install relevanssi-premium and activate it
  • Set the current theme to twentyseventeen
  • Follow the instructions by adding <?php if (function_exists('relevanssi_didyoumean')) { relevanssi_didyoumean(get_search_query(), "<p>Did you mean: ", "</p>", 5); }?> to the file search.php after get_header()
  • Create a post with title “meow” (it may not work if there are any posts containing “meo”)
  • Visit the Relevanssi Premium settings page and click “Build the index”
  • Visit /?s=meo%3Cscript%3Ealert(1)%3C/script%3E using a browser without XSS prevention (i.e. Firefox)

Mitigation/further actions

Upgrade to version 1.14.9 or later.