CVE-2026-24596

The Related Posts Thumbnails plugin for WordPress, versions up to and including 4.3.2, contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from insufficient validation of request origins, allowing an attacker to craft malicious requests that are executed under the authentication of a higher privileges of an authenticated administrator or other privileged user [1].

Exploitation requires user interaction: a privileged user must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress site. No additional authentication is needed for the attacker beyond the victim's existing session [1].

Successful exploitation could enable an attacker to perform unauthorized actions on behalf of the victim, such as changing plugin settings or performing other administrative operations, without the victim's consent. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited direct impact on data confidentiality or access to sensitive data [1].

The vulnerability is addressed in version 4.3.3 of the plugin. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. As a general precaution, administrators should avoid clicking suspicious links while logged into their WordPress dashboard [1].