CVE-2024-7630

The Relevanssi – A Better Search plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.22.2 via the relevanssi_do_query() due to insufficient limitations on the posts that are returned when searching. This makes it possible for unauthenticated attackers to extract potentially sensitive information from password protected posts.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3134753/relevanssi/trunk/lib/common.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/3fa78f4e-ede2-4863-a2d7-99bd8c7b5912?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:relevanssi:relevanssi:*:*:*:*:*:wordpress:*:*

History

29 Jan 2025, 16:22

Type	Values Removed	Values Added
References	~~() https://plugins.trac.wordpress.org/changeset/3134753/relevanssi/trunk/lib/common.php -~~	() https://plugins.trac.wordpress.org/changeset/3134753/relevanssi/trunk/lib/common.php - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/3fa78f4e-ede2-4863-a2d7-99bd8c7b5912?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/3fa78f4e-ede2-4863-a2d7-99bd8c7b5912?source=cve - Third Party Advisory
CPE		cpe:2.3:a:relevanssi:relevanssi::::::wordpress::*
CWE		NVD-CWE-noinfo
First Time		Relevanssi Relevanssi relevanssi

19 Aug 2024, 13:00

Type	Values Removed	Values Added
Summary		(es) El complemento Relevanssi – A Better Search para WordPress es vulnerable a la exposición de la información en todas las versiones hasta la 4.22.2 incluida a través de relevanssi_do_query() debido a limitaciones insuficientes en las publicaciones que se devuelven durante la búsqueda. Esto hace posible que atacantes no autenticados extraigan información potencialmente confidencial de publicaciones protegidas con contraseña.

16 Aug 2024, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-16 03:15

Updated : 2025-01-29 16:22

NVD link : CVE-2024-7630

Mitre link : CVE-2024-7630

CVE.ORG link : CVE-2024-7630

JSON object : View

Products Affected

relevanssi

relevanssi

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2024-7630", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-08-16T03:15:10.093", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3134753/relevanssi/trunk/lib/common.php", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3fa78f4e-ede2-4863-a2d7-99bd8c7b5912?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The Relevanssi \u2013 A Better Search plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.22.2 via the relevanssi_do_query() due to insufficient limitations on the posts that are returned when searching. This makes it possible for unauthenticated attackers to extract potentially sensitive information from password protected posts."}, {"lang": "es", "value": "El complemento Relevanssi \u2013 A Better Search para WordPress es vulnerable a la exposici\u00f3n de la informaci\u00f3n en todas las versiones hasta la 4.22.2 incluida a trav\u00e9s de relevanssi_do_query() debido a limitaciones insuficientes en las publicaciones que se devuelven durante la b\u00fasqueda. Esto hace posible que atacantes no autenticados extraigan informaci\u00f3n potencialmente confidencial de publicaciones protegidas con contrase\u00f1a."}], "lastModified": "2025-01-29T16:22:28.413", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:relevanssi:relevanssi:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "5C808B09-0182-4978-922E-C66615B160AE", "versionEndExcluding": "4.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}

5.3 /10