Description
Cross-Site Request Forgery (CSRF) vulnerability in alphasis Related Posts via Taxonomies related-posts-via-taxonomies allows Stored XSS.This issue affects Related Posts via Taxonomies: from n/a through <= 1.0.1.
Published: 2025-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The alphasis Related Posts via Taxonomies plugin contains a Cross‑Site Request Forgery flaw that can be leveraged to store malicious script code. By submitting a crafted request, an attacker can inject JavaScript that will be rendered server‑side and delivered to every visitor. This stored XSS allows an attacker to execute arbitrary client‑side code whenever the affected page is viewed, which may lead to defacement or other malicious browser‑side effects. The weakness is classified as CWE‑352.

Affected Systems

WordPress installations using the alphasis Related Posts via Taxonomies plugin version 1.0.1 or older are potentially affected. No other vendors or product variants are mentioned in the supplied data.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high‑severity issue. The EPSS score is reported as less than 1 %, suggesting a low probability of active exploitation, yet the flaw remains exploitable. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the CSRF weakness by inducing any site user or attacker‑controlled request to submit the forged form, resulting in stored XSS. The impact is confined to the integrity of rendered content and the client‑side execution realm.

Generated by OpenCVE AI on May 2, 2026 at 08:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Related Posts via Taxonomies plugin to a version newer than 1.0.1, which removes the CSRF and stored XSS flaw.
  • If an upgrade is not possible, temporarily disable or uninstall the plugin until a fixed version is released.
  • Deploy a robust Content‑Security‑Policy that disallows inline script execution and limits script sources to trusted domains, mitigating the effect of any residual stored XSS.
  • Ensure that all WordPress administrative forms employ proper nonce checks and CSRF protections to prevent similar vulnerabilities.

Generated by OpenCVE AI on May 2, 2026 at 08:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12001 Cross-Site Request Forgery (CSRF) vulnerability in alphasis Related Posts via Taxonomies allows Stored XSS. This issue affects Related Posts via Taxonomies: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in alphasis Related Posts via Taxonomies allows Stored XSS. This issue affects Related Posts via Taxonomies: from n/a through 1.0.1. Cross-Site Request Forgery (CSRF) vulnerability in alphasis Related Posts via Taxonomies related-posts-via-taxonomies allows Stored XSS.This issue affects Related Posts via Taxonomies: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in alphasis Related Posts via Taxonomies allows Stored XSS. This issue affects Related Posts via Taxonomies: from n/a through 1.0.1.
Title WordPress Related Posts via Taxonomies plugin <= 1.0.1 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:40.031Z

Reserved: 2025-04-24T14:23:19.973Z

Link: CVE-2025-46520

cve-icon Vulnrichment

Updated: 2025-04-24T19:54:12.262Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:43.230

Modified: 2026-04-23T15:30:09.853

Link: CVE-2025-46520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses