Description
The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Contextual Related Posts plugin contains a stored cross‑site scripting flaw that allows an authenticated user with contributor or higher privileges to inject malicious JavaScript into the "other_attributes" field. Once a script is stored, it executes automatically whenever any user opens a page that displays the injected data, enabling session hijacking, defacement, or data exfiltration. The vulnerability is a classic case of insufficient input sanitization and output escaping, as identified by CWE‑79.

Affected Systems

This issue affects the WordPress plugin Contextual Related Posts up to and including version 4.2.1. Sites that have installed any of those versions and have users with contributor or elevated roles are impacted. No other WordPress core components or plugins are listed as affected.

Risk and Exploitability

The CVSS score of 6.4 suggests a moderate level of risk, and the EPSS score is not available, so exploitation likelihood cannot be quantified precisely. The vulnerability is not listed in CISA KEV, indicating no known broad exploitation at the time of reporting. Attackers can exploit the flaw locally by creating or modifying entries within the plugin. The stored nature of the payload means that once injected, the script runs for all visitors, providing a broad impact for the site owner.

Generated by OpenCVE AI on April 18, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Contextual Related Posts to a version newer than 4.2.1 that removes the unsanitized "other_attributes" field.
  • If an immediate upgrade is not possible, restrict contributor or higher roles to trusted users only or temporarily disable the plugin until a fix is applied.
  • Deploy a web application firewall or use a security plugin that blocks or sanitizes XSS payloads in the "other_attributes" field to provide a temporary mitigation.

Generated by OpenCVE AI on April 18, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-18T11:16:10.980Z

Reserved: 2026-02-22T17:08:03.100Z

Link: CVE-2026-2986

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T12:16:11.600

Modified: 2026-04-18T12:16:11.600

Link: CVE-2026-2986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses