CVE-2026-2986 - Vulnerability Details

- Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'

Description

The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-04-18

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Contextual Related Posts plugin contains a stored cross‑site scripting flaw that allows an authenticated user with contributor or higher privileges to inject malicious JavaScript into the "other_attributes" field. Once a script is stored, it executes automatically whenever any user opens a page that displays the injected data, enabling session hijacking, defacement, or data exfiltration. The vulnerability is a classic case of insufficient input sanitization and output escaping, as identified by CWE‑79.

Affected Systems

This issue affects the WordPress plugin Contextual Related Posts up to and including version 4.2.1. Sites that have installed any of those versions and have users with contributor or elevated roles are impacted. No other WordPress core components or plugins are listed as affected.

Risk and Exploitability

The CVSS score of 6.4 suggests a moderate level of risk, and the EPSS score is not available, so exploitation likelihood cannot be quantified precisely. The vulnerability is not listed in CISA KEV, indicating no known broad exploitation at the time of reporting. Attackers can exploit the flaw locally by creating or modifying entries within the plugin. The stored nature of the payload means that once injected, the script runs for all visitors, providing a broad impact for the site owner.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ajay

Contextual Related Posts

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.2.1

No data.

Vendor Product Confidence Versions

Ajaydsouza

Contextual Related Posts

91%

Version	Status	Scheme	Platform
`[0,4.2.1]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Contextual Related Posts to a version newer than 4.2.1 that removes the unsanitized "other_attributes" field.
If an immediate upgrade is not possible, restrict contributor or higher roles to trusted users only or temporarily disable the plugin until a fix is applied.
Deploy a web application firewall or use a security plugin that blocks or sanitizes XSS payloads in the "other_attributes" field to provide a temporary mitigation.

Generated by OpenCVE AI on April 18, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3481684/contextual-related-posts
https://www.wordfence.com/threat-intel/vulnerabilities/id/8f59e069-a953-47b6-8106-55f55df722ed?source=cve

History

Mon, 20 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ajaydsouza Ajaydsouza contextual Related Posts Wordpress Wordpress wordpress
Vendors & Products		Ajaydsouza Ajaydsouza contextual Related Posts Wordpress Wordpress wordpress

Sat, 18 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3481684/contextual-related-posts https://www.wordfence.com/threat-intel/vulnerabilities/id/8f59e069-a953-47b6-8106-55f55df722ed?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Ajaydsouza Contextual Related Posts

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-18T11:16:10.980Z

Updated: 2026-04-20T14:19:06.323Z

Reserved: 2026-02-22T17:08:03.100Z

Link: CVE-2026-2986

Vulnrichment

Updated: 2026-04-20T14:18:59.227Z

NVD

Status : Deferred

Published: 2026-04-18T12:16:11.600

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-2986

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T14:45:08Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object