I was told today that there is a security vulnerability in Relevanssi. It is possible to set the post type and taxonomy weights to values that are not numbers, and those values will be inserted into SQL queries, making SQL injection possible.
However, it requires either admin access to WordPress dashboard or direct access to the server to set the values, and despite trying different approaches, the worst I could do was to break the Relevanssi search (I tried to destroy tables from the database, but couldn’t make that happen). So, as far as I can tell, this is a relatively minor security vulnerability.
However, all security vulnerabilities are taken seriously and fixed immediately. Version 1.16.1 of Relevanssi Premium and 3.6.1 of the free Relevanssi are safe from the this vulnerability.
There are also other improvements in these versions:
- Premium: Multisite meta queries didn’t work properly.
- Premium: The filter relevanssi_tax_term_additional_content now works even when the taxonomy description is empty.
- Premium: Relevanssi taxonomy term indexing is moved to a later priority (from 10 to 9999) to make sure all term data is available for indexing.
- Both: Search and Filter shortcode is added to the blacklist.
- Both: Groups plugin is now supported automatically to restrict access to posts.
- Both: The filter relevanssi_index_custom_fields now works even if the custom field setting is empty.
- Both: The filter relevanssi_post_to_index now has a second parameter. For posts, it simply repeats the post object, but for taxonomy terms, it has the term object.
The free version is available from the plugin repository. Premium is available through WordPress plugin updates or from the download page.