Remove Special Chars / Running Server Commands with S GET Variable

We found a vulnerability in search where the search will stall out if given some malicious / questionable values in the “s” _GET variable. We are running WP 6.5.3 and Relevanssi 4.22.2

In our case this value causes the plugin to stall out and actually run the given ping commands. Our URL is replaced with xxx.com here.

Would like to know how to mitigate, thank you.

GET /site/?s=rbzEWw'(selectfrom(select(sleep(20)))a)’ HTTP/1.1 Host: http://www.xxx.com Accept-Encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/*;q=0.8,application/signedexchange;
v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: _ga_3YH6EH8MJL=GS1.1.1715623118.1.0.1715623118.0.0.0; _ga=GA1.1.1793963646.1715623118
Upgrade-Insecure-Requests: 1
Referer: https://www.xxx.com/site/
Sec-CH-UA: “.Not/A)Brand”;v=”99″, “Google Chrome”;v=”124″, “Chromium”;v=”124″
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0