Platform
wordpress
Component
contextual-related-posts
Fixed in
4.2.2
CVE-2026-2986 represents a stored Cross-Site Scripting (XSS) vulnerability discovered within the Contextual Related Posts plugin for WordPress. This flaw allows authenticated attackers, possessing contributor-level access or greater, to inject arbitrary web scripts. The vulnerability stems from insufficient input sanitization and output escaping within the 'other_attributes' parameter, potentially leading to the execution of malicious code when users access affected pages. The vulnerability affects versions of the plugin up to and including 4.2.1, with a patch available in version 4.2.2.
The Contextual Related Posts plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability. This means an authenticated attacker, with contributor-level access or higher, can inject malicious JavaScript code into WordPress pages. When other users visit these pages, the script executes in their browsers, allowing the attacker to steal cookies, redirect to malicious websites, or perform other harmful actions on behalf of the user. The vulnerability stems from insufficient sanitization of the 'other_attributes' parameter input, allowing code injection. This vulnerability has a CVSS score of 6.4, indicating a moderate risk. Updating the plugin is crucial to mitigate this risk.
An attacker with contributor or higher access on a WordPress site using Contextual Related Posts can exploit this vulnerability. The attacker can inject malicious JavaScript code through the 'other_attributes' parameter in the plugin's settings. Once injected, the code is stored in the database and executed every time a user visits the affected page. The difficulty of exploitation is relatively low, as it only requires contributor access. The impact can be significant, allowing the attacker to compromise user accounts and steal sensitive information.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update the Contextual Related Posts plugin to version 4.2.2 or higher. This version includes a fix for the XSS vulnerability. Additionally, review all pages where the 'other_attributes' parameter was used in previous plugin versions to check for any injected malicious code. Implementing a Content Security Policy (CSP) can help mitigate the impact of XSS, even if updating the plugin immediately isn't possible. Monitoring server logs for suspicious activity is also a good security practice.
Update to version 4.2.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the user's browser, potentially allowing the attacker to steal information, redirect to malicious websites, or perform other harmful actions.
In WordPress, the 'contributor' role has permissions to publish and edit posts and pages, but not to administer the site in general. An attacker with this level of access can exploit this vulnerability.
If you are using a version older than 4.2.2 of the Contextual Related Posts plugin, you are likely vulnerable. Review the plugin’s settings and look for any suspicious entries in the 'other_attributes' parameter.
CSP (Content Security Policy) is a security layer that helps prevent XSS attacks by controlling the resources that the browser is allowed to load for a web page.
You can find more information about this vulnerability in the CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2986
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.