Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts custom-related-posts allows Stored XSS.This issue affects Custom Related Posts: from n/a through <= 1.7.4.
Published: 2025-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Brecht:Custom Related Posts contains an input sanitization flaw that allows an attacker to inject arbitrary JavaScript into web pages rendered to site visitors. The stored nature of the flaw means malicious code can persist across sessions and affect every user who views the affected content. Successful exploitation could enable cookie theft, session hijacking, defacement, or the delivery of further malware to clients.

Affected Systems

The vulnerable component is the Custom Related Posts plugin released by Brecht, affecting all installed versions up to and including 1.7.4. Any WordPress site that has this plugin active and allows administrators or content editors to create or edit related post entries is potentially exposed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog, so no evidence of widespread active exploitation exists yet. The attack vector can be inferred to require an authenticated user with permission to add or edit posts through the Custom Related Posts interface; the injected script is then served to all site visitors when the content is displayed.

Generated by OpenCVE AI on May 1, 2026 at 09:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Custom Related Posts plugin to the latest available version that removes the XSS flaw.
  • If an upgrade is not immediately possible, deactivate or delete the plugin to eliminate the attack surface.
  • Apply site-wide content sanitization rules or a security plugin that escapes output from user-generated content to provide a temporary protective barrier.

Generated by OpenCVE AI on May 1, 2026 at 09:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12323 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts allows Stored XSS. This issue affects Custom Related Posts: from n/a through 1.7.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts allows Stored XSS. This issue affects Custom Related Posts: from n/a through 1.7.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts custom-related-posts allows Stored XSS.This issue affects Custom Related Posts: from n/a through <= 1.7.4.
Title WordPress Custom Related Posts <= 1.7.4 - Cross Site Scripting (XSS) Vulnerability WordPress Custom Related Posts plugin <= 1.7.4 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 07 May 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Brechtvds
Brechtvds custom Related Posts
CPEs cpe:2.3:a:brechtvds:custom_related_posts:*:*:*:*:*:wordpress:*:*
Vendors & Products Brechtvds
Brechtvds custom Related Posts

Tue, 22 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts allows Stored XSS. This issue affects Custom Related Posts: from n/a through 1.7.4.
Title WordPress Custom Related Posts <= 1.7.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Brechtvds Custom Related Posts
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:12:36.883Z

Reserved: 2025-04-22T08:46:38.826Z

Link: CVE-2025-46227

cve-icon Vulnrichment

Updated: 2025-04-22T17:01:55.321Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:15.617

Modified: 2026-04-23T15:29:54.457

Link: CVE-2025-46227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses