The CrowdSec Network has detected a massive surge in exploitation attempts targeting CVE-2025-4396, a SQL injection vulnerability in the Relevanssi – A Better Search plugin for WordPress. With over 16,500 distinct attacking IPs observed since early February, this campaign shows no signs of slowing down.

Key findings

• Vulnerability Timeline: Published on 13 May 2025; CrowdSec released detection rules on 21 January 2026, and the first exploitation was observed on 2 February 2026.
• Attack Volume: The CrowdSec network has detected exploitation attempts from 16,545 unique IP addresses over the past 10 weeks, with activity spiking noticeably over the past week.
• Target Profile: 79% of attacks hit small office/home office environments, with government sites (12%) and e-commerce platforms (9%) also in the crosshairs.

What is Relevanssi?

Relevanssi is a popular WordPress search plugin that replaces the default WordPress search with a more powerful alternative. It’s used on hundreds of thousands of WordPress sites to provide better search results, custom filtering, and advanced query features. The plugin comes in both free and premium versions.

Why it matters: WordPress powers over 40% of all websites on the internet. A vulnerability in a widely used search plugin doesn’t just break functionality; it gives attackers a skeleton key to your database. That database contains everything from customer emails and order histories to password hashes and admin credentials. 

How does CVE-2025-4396 work?

CVE-2025-4396 is a time-based SQL injection vulnerability affecting Relevanssi versions up to 4.24.4 (free) and 2.27.4 (premium). The flaw exists in how the plugin handles the cats and tags query parameters during search operations.

Attackers exploit this by injecting SQL commands into these parameters—for example, by appending payloads like ?s=test&cats=1*sleep(5) to a search request. Because the plugin doesn’t properly sanitize or escape these inputs before passing them to the database, attackers can execute arbitrary SQL queries. They typically use time-based techniques (forcing the database to pause) to confirm the vulnerability works, then escalate to extracting sensitive data.

The vulnerability is particularly dangerous because it requires no authentication—anyone who can access your site’s search function can attempt to exploit it.

Research references:

• Nuclei template from ProjectDiscovery
• CVE-2025-4396 on NVD

Threat Landscape Analysis

The CrowdSec network data paints a clear picture: this is not a targeted campaign—it’s a feeding frenzy. With over 16,500 distinct attacking IPs spread across dozens of countries, we’re seeing classic opportunistic, automated scanning. Attackers are carpet-bombing the internet, looking for vulnerable Relevanssi installations.

What’s particularly concerning is the recent uptick. After nearly 10 weeks of steady background noise, exploitation activity has jumped above baseline levels. This suggests one or more of the following:

• New exploit tools or scripts have been released
• Botnet operators have added this CVE to their scanning routines
• Awareness is spreading in attacker communities

The top attacking countries are the United States (31%), Singapore (11%), United Kingdom (8%), and China (8%)—a geographic distribution that screams “cloud infrastructure abuse” rather than nation-state operations. Most of these IPs are likely compromised servers or VPS instances being rented by attackers for mass scanning.

The target breakdown is equally telling: 79% of attacks hit SOHO (small office/home office) environments. These are typically smaller WordPress sites with limited security resources—easy targets for data harvesting, SEO spam injection, or botnet recruitment.

How to protect your systems

Patch: Update the Relevanssi plugin immediately:

• Free version: Upgrade to version 4.24.5 or later
• Premium version: Upgrade to version 2.27.5 or later

Preemptive blocking: Deploy the CrowdSec Security Engine to detect and block SQL injection attempts in real-time. CrowdSec has been tracking and blocking the exploitation of CVE-2025-4396 since 21 January 2026.

Subscribe to CrowdSec Intelligence Blocklists to automatically block the most aggressive IPs targeting WordPress vulnerabilities.