CVE-2025-4054
published 2025-05-07CVE-2025-4054: The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.38%
29.6th percentile
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and including, 4.24.3 (Free) and <= 2.27.4 (Premium), due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the search results.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comesio | relevanssi_a_better_search | <= 4.24.3 | — |
| relevanssi | relevanssi_premium | <= 2.27.4 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fhf5-p55m-mr5q: The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up
ghsa_unreviewed·2025-05-07
CVE-2025-4054 [MEDIUM] CWE-79 GHSA-fhf5-p55m-mr5q: The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and including, 4.24.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the search results.
Red Hat
kernel: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
vendor_redhat·2025-07-10·CVSS 5.5
CVE-2025-38335 [MEDIUM] CWE-662 kernel: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
kernel: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
In the Linux kernel, the following vulnerability has been resolved:
Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in
hard irq context, but the input_event() takes a spin_lock, which isn't
allowed there as it is converted to a rt_spin_lock().
[ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0
...
[ 4054.290195] __might_resched+0x13c/0x1f4
[ 4054.290209] rt_spin_lock+0x54/0x11c
[ 4054.290219] input_event+0x48/0x80
[ 4054.290230] gpio_keys_irq_timer+0x4c/0x78
[ 4054.290243] __hrtimer_run_queues+0x1a4/0x438
[ 4
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/relevanssi/tags/4.24.3/lib/excerpts-highlights.php#L508https://plugins.trac.wordpress.org/browser/relevanssi/tags/4.24.3/lib/excerpts-highlights.php#L683https://plugins.trac.wordpress.org/changeset/3283795/https://www.relevanssi.com/user-manual/installing-relevanssi-and-adjusting-the-settings/https://www.wordfence.com/threat-intel/vulnerabilities/id/6f77f10b-f142-4859-a941-0fbde6ef7fdb?source=cve
2025-05-07
Published