CVE-2018-9034

MEDIUM

Relevanssi < 4.0.4 - Cross-Site Scripting via Tab GET Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9034. PoCs published by Stefan Broeder.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in the Relevanssi WordPress plugin (version 4.0.4) due to improper escaping of the 'tab' parameter in an HTML attribute. The PoC provides a crafted URL that, when visited by an authenticated admin, executes arbitrary JavaScript.

Description

Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.

Exploits (1)

exploitdb WORKING POC
by Stefan Broeder · textwebappsphp
https://www.exploit-db.com/exploits/44366

This exploit demonstrates a reflected XSS vulnerability in the Relevanssi WordPress plugin (version 4.0.4) due to improper escaping of the 'tab' parameter in an HTML attribute. The PoC provides a crafted URL that, when visited by an authenticated admin, executes arbitrary JavaScript.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Relevanssi WordPress Plugin 4.0.4
Auth required
Prerequisites: Victim must be logged in as WordPress administrator · Victim must visit attacker-controlled URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44366/

Scores

CVSS v3 5.4
EPSS 0.0201
EPSS Percentile 78.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
relevanssi/relevanssi < 4.0.4
Published Apr 04, 2018
Tracked Since Feb 18, 2026