CVE-2024-1380
published 2024-03-13CVE-2024-1380: The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the…
PriorityP354medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
50.19%
98.8th percentile
The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0 (Free) and 2.25.0 (Premium). This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comesio | relevanssi_a_better_search | <= 4.22.0 | — |
| relevanssi | relevanssi | < 4.22.1 | 4.22.1 |
| relevanssi | relevanssi_premium | <= 2.25.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with body parameter 'relevanssi_export=1' from unauthenticated (no valid session/nonce) sources. ↗
- →The vulnerable function is relevanssi_export_log_check(); monitor for its invocation without a capability check in WordPress audit logs or WAF telemetry. ↗
- ·The vulnerability is described as 'theoretically patched as is' by the vendor, meaning no code change may have been shipped; defenders should not assume an update fully remediates the issue without verifying a capability check was actually added. ↗
- ·Both the Free (≤4.22.0) and Premium (≤2.25.0) variants of Relevanssi are affected; detection rules and patch verification must cover both product lines. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
msaari Relevanssi Plugin up to 4.22.0 on WordPress relevanssi_export_log_check authorization
vuldb·2026-04-12·CVSS 5.3
CVE-2024-1380 [MEDIUM] msaari Relevanssi Plugin up to 4.22.0 on WordPress relevanssi_export_log_check authorization
A vulnerability described as problematic has been identified in msaari Relevanssi Plugin up to 4.22.0 on WordPress. The impacted element is the function relevanssi_export_log_check. The manipulation results in missing authorization.
This vulnerability was named CVE-2024-1380. The attack may be performed from remote. There is no available exploit.
GHSA
Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission
ghsa·2024-10-02
CVE-2024-47805 [MEDIUM] CWE-200 Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission
Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item `config.xml` via REST API or CLI.
This allows attackers with Item/Extended Read permission to view encrypted `SecretBytes` values in credentials.
This issue is similar to SECURITY-266 in the 2016-05-11 security advisory, which applied to the `Secret` type used for inline secrets and some credentials types.
Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted values of credentials using the `Sec
GHSA
GHSA-4223-r78w-6q8p: The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi
ghsa_unreviewed·2024-03-13
CVE-2024-1380 [MEDIUM] CWE-862 GHSA-4223-r78w-6q8p: The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi
The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.
No detection rules found.
Nuclei
Relevanssi (A Better Search) <= 4.22.0 - Query Log Export
nuclei·CVSS 5.3
CVE-2024-1380 [MEDIUM] Relevanssi (A Better Search) <= 4.22.0 - Query Log Export
Relevanssi (A Better Search) <= 4.22.0 - Query Log Export
The Relevanssi Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data.
Template:
id: CVE-2024-1380
info:
name: Relevanssi (A Better Search) <= 4.22.0 - Query Log Export
author: FLX
severity: medium
description: |
The Relevanssi Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data.
impact: |
Unauthenticated attackers can export query log data containing search terms and pote
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033880%40relevanssi&new=3033880%40relevanssi&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/7b2a3b17-0551-4e02-8e6a-ae8d46da0ef8?source=cvehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033880%40relevanssi&new=3033880%40relevanssi&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/7b2a3b17-0551-4e02-8e6a-ae8d46da0ef8?source=cve
2024-03-13
Published