Related Posts by Taxonomy < 2.7.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'related_posts_by_tax' Shortcode | CVE 2026-0916 | Plugin Vulnerabilities

Description

The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

related-posts-by-taxonomy

Fixed in 2.7.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0582fe7d-884c-4019-837a-861d36ccc842

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Yudha - DJ

Verified

No

WPVDB ID

2ebabb4c-d69c-400b-ba34-62aef207d7c4

Timeline

Publicly Published

2026-01-15 (about 5 months ago)

Added

2026-01-15 (about 5 months ago)

Last Updated

2026-01-23 (about 5 months ago)

Other

Published

Title

Published

2016-07-20

Title

Nofollow Links <= 1.0.10 - Cross-Site Scripting (XSS)

Published

2024-10-21

Title

Extra Privacy for Elementor <= 0.1.3 - Reflected Cross-Site Scripting

Published

2023-03-30

Title

Premmerce Redirect Manager < 1.0.12 - Admin+ Stored XSS

Published

2022-02-22

Title

Transposh WordPress Translation < 1.0.8 - Reflected Cross-Site Scripting

Published

2024-06-21

Title

Website Content in Page or Post < 2024.04.09 - Contributor+ Stored Cross-Site Scripting