I was alerted yesterday that Relevanssi Premium has a XSS vulnerability. If you are using the “Did you mean” feature, it is possible to construct a search query that contains scripts that are automatically run on the page if the “Did you mean” feature runs.
See DXWSecurity report on the vulnerability.
Version 1.14.9 fixes this vulnerability. If you use the “Did you mean” feature on your site, upgrade the plugin immediately. There are also other bug fixes and small improvements in the new version:
- Did you mean function had a XSS vulnerability, which is now removed.
- Minimum word length wasn’t applied to titles in indexing. It is now fixed. If you think this is a problem, rebuild the index.
- TablePress compatibility has been improved.
- Meta query handling has been improved, thanks to Maxime Culea.
- Improved WP_Query parameter support: setting query variable
sentence
to 1 forces phrase search.
Get the new version from the plugin auto update or from the download page.