CVE-2025-11926

Vulnerability

Description The Related Posts Lite plugin for WordPress (versions up to 1.12) suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to insufficient input sanitization and output escaping in its admin settings page. The plugin uses update_option('rpl_options', $_POST); to save POST data without sanitization, and then renders these values, such as the plugin title, via the [wpdreams_rpl] shortcode without proper escaping (e.g., esc_html()). [1]

Exploitation

An authenticated attacker with administrator-level permissions can inject arbitrary JavaScript into settings fields (e.g., via `). Because the settings form lacks nonce and capability checks, this can also be exploited via Cross-Site Request Forgery (CSRF). The injected script executes when any user accesses a page displaying related posts. [1] The vulnerability is only exploitable on multi-site installations or when administrators have unfiltered_html` disabled, but these conditions are common in multi-site environments. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session theft, website defacement, or actions performed on behalf of an authenticated user, such as creating new administrator accounts. [1]

Mitigation

As of August 29, 2025, the plugin has been permanently closed and is no longer available for download from the WordPress plugin repository. [2] Users are strongly advised to remove the plugin and replace it with a maintained alternative; no patched version exists.