Description
The Related Posts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-10-18
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The flaw in the Related Posts Lite plugin allows an authenticated administrator to insert arbitrary scripts into the plugin’s settings. When a page that uses the affected settings is rendered, the stored script is executed in the victim’s browser, leading to the typical outcomes of a stored XSS vulnerability—session hijacking, defacement, or phishing of other site users. The potential use of the injected code for credential theft, site defacement, or phishing is inferred from the nature of stored XSS and the description of arbitrary script execution, rather than stated explicitly in the advisory.

Affected Systems

WordPress installations running any version of Related Posts Lite 1.12 or earlier. The issue is exploitable only on network‑wide (multi‑site) blogs or on sites where the unfiltered_html capability has been disabled for ordinary administrators, meaning environments that restrict raw HTML input are at risk.

Risk and Exploitability

The CVSS score of 4.4 classifies the vulnerability as moderate, and the EPSS score of less than 1 % indicates a very low likelihood of exploitation at present. The vulnerability is not present in the CISA KEV catalog. Exploitation requires an attacker to first log in as an administrator or higher, after which the payload can be stored in the plugin’s settings and subsequently delivered to any site visitor.

Generated by OpenCVE AI on April 22, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Related Posts Lite to the latest version (or apply the vendor patch if available).
  • If an upgrade is not possible, remove or disable the plugin on multisite installations or sites where unfiltered_html is disabled.
  • Restrict administrator‑level permissions to only trusted users and consider disabling the unfiltered_html capability to limit script injection.

Generated by OpenCVE AI on April 22, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdreams
Wpdreams related Posts Lite
Vendors & Products Wordpress
Wordpress wordpress
Wpdreams
Wpdreams related Posts Lite

Sat, 18 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Related Posts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Related Posts Lite <= 1.12 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdreams Related Posts Lite
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:57.992Z

Reserved: 2025-10-17T20:29:26.584Z

Link: CVE-2025-11926

cve-icon Vulnrichment

Updated: 2025-10-20T16:55:21.716Z

cve-icon NVD

Status : Deferred

Published: 2025-10-18T10:15:38.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses