Contextual Related Posts < 4.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes' | CVE 2026-2986 | Plugin Vulnerabilities

Description

The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

contextual-related-posts

Fixed in 4.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8f59e069-a953-47b6-8106-55f55df722ed

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777)

Verified

No

WPVDB ID

4131f42a-4328-4977-a31f-4a2136ffbe7c

Timeline

Publicly Published

2026-04-17 (about 25 days ago)

Added

2026-04-17 (about 25 days ago)

Last Updated

2026-04-18 (about 25 days ago)

Other

Published

Title

Published

2024-11-15

Title

LUNA RADIO PLAYER < 6.24.11.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-01-24

Title

Auction Nudge – Your eBay on Your Site < 7.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-09-20

Title

Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting

Published

2023-07-17

Title

MultiParcels Shipping For WooCommerce < 1.15.4 - Reflected XSS

Published

2023-04-19

Title

Help Desk WP <= 1.2.0 - Editor+ Stored XSS