The alphasis Related Posts via Categories plugin contains a stored cross‑site scripting flaw that is triggered through a CSRF‑enabled request. Unfiltered user input can be submitted and stored in the database; when the page is subsequently rendered the payload executes in the context of any visitor to the site. As a result, attackers could steal credentials, deface content, or perform further attacks against users of the affected WordPress site. The weakness is reflected by CWE‑79.

Any WordPress installation that has the alphasis Related Posts via Categories plugin version 2.1.2 or earlier installed is vulnerable. Sites that include this plugin—regardless of any other security controls—are at risk until the plugin is updated or removed.

The CVSS score of 7.1 classifies this vulnerability as high severity, but the EPSS score of less than 1 % indicates that active exploitation is currently rare. The flaw is not listed in the CISA KEV catalog. Exploitation requires a user session with privileges sufficient to submit a post or modify plugin settings; an attacker can trigger the issue via a malicious link, form, or embedded HTTP request. The attack path relies on a legitimate authenticated request that is crafted to send malicious payload data.