WordPress Plugin Vulnerabilities

Inline Related Posts < 3.0.5 - Admin+ Cross-Site Scripting

Description

Multiple parameters are vulnerable to stored Cross-site Scripting. The vulnerabilities require admin privileges to exploit. In each case the script will execute for every user viewing a post that contains one of the inline references.

Proof of Concept

Affects Plugins

Plugin icon
intelly-related-posts
Fixed in 3.0.5

References

CVE
CVE-2021-35470
URL
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29376

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Martin Vierula of Trustwave
Verified
No
WPVDB ID
14b87d5d-522e-40e6-a30f-2f27da62c303

Timeline

Publicly Published
2021-10-09 (about 4 years ago)
Added
2021-10-09 (about 4 years ago)
Last Updated
2022-04-08 (about 4 years ago)

Other

Published
Title
Published
2015-05-12
Title
Adsense Click Fraud Monitoring <= 1.7.5 - XSS
Published
2024-09-30
Title
Elastik Page Builder <= 0.27.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2025-01-16
Title
CtyGrid Hyp3rL0cal Search WordPress Plugin <= 0.1.1.1 - Reflected Cross-Site Scripting
Published
2025-05-20
Title
Raisely Donation Form < 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode
Published
2026-01-06
Title
Page Keys < 1.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'page_key' Parameter