CVE-2026-0916 Overview
The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin's related_posts_by_tax shortcode in all versions up to, and including, 2.7.6. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of victim users' browsers, potentially leading to session hijacking, credential theft, or further site compromise.
Affected Products
- Related Posts by Taxonomy WordPress Plugin versions up to and including 2.7.6
- WordPress sites with contributor-level or higher user accounts
- Any WordPress installation using the vulnerable related_posts_by_tax shortcode
Discovery Timeline
- 2026-01-16 - CVE CVE-2026-0916 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-0916
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the related_posts_by_tax shortcode handler in the Related Posts by Taxonomy WordPress plugin. The flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability can be exploited over the network by authenticated users with at least contributor-level privileges, without requiring user interaction. Due to the stored nature of the XSS, malicious payloads persist in the WordPress database and execute each time a victim views the affected page.
The attack can cross scope boundaries, potentially affecting confidentiality and integrity of other users' sessions. The vulnerability requires only contributor-level authentication to exploit, making it accessible to a relatively broad range of authenticated users on multi-author WordPress sites.
Root Cause
The root cause of this vulnerability is insufficient input sanitization and output escaping on user-supplied attributes within the related_posts_by_tax shortcode implementation. The plugin fails to properly validate and sanitize shortcode attribute values before rendering them in the HTML output. This allows attackers to craft malicious shortcode parameters containing JavaScript code that bypasses inadequate filtering mechanisms. The vulnerable code path can be found in the plugin's functions.php at line 259.
Attack Vector
The attack vector leverages the WordPress shortcode system, which is accessible to users with contributor permissions or higher. An attacker can create or edit a post containing the related_posts_by_tax shortcode with malicious JavaScript payload embedded in one or more shortcode attributes. When the post is published and subsequently viewed by other users (including administrators), the unsanitized script executes in the victim's browser context.
The malicious payload persists in the database, making this a stored XSS attack. This is particularly dangerous as it can affect multiple users over time and doesn't require social engineering to deliver the payload to victims beyond the initial post publication.
Detection Methods for CVE-2026-0916
Indicators of Compromise
- Suspicious script tags or JavaScript event handlers embedded within related_posts_by_tax shortcode attributes in post content
- Unexpected modifications to posts containing the related posts shortcode
- Browser console errors or unexpected JavaScript execution on pages displaying related posts
- User reports of unusual behavior or redirects when viewing specific posts
Detection Strategies
- Audit WordPress database for posts containing related_posts_by_tax shortcodes with suspicious attribute values
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in shortcode parameters
- Monitor user activity logs for contributors creating posts with potentially malicious content
- Use WordPress security plugins to scan for stored XSS vulnerabilities in post content
Monitoring Recommendations
- Enable comprehensive logging for post creation and modification events, particularly for users with contributor-level access
- Deploy real-time monitoring for JavaScript execution anomalies on WordPress pages
- Implement Content Security Policy (CSP) headers to mitigate XSS impact and generate violation reports
- Regularly scan the WordPress database for stored XSS patterns in shortcode attributes
How to Mitigate CVE-2026-0916
Immediate Actions Required
- Update the Related Posts by Taxonomy plugin to the latest patched version immediately
- Audit existing posts for malicious content within related_posts_by_tax shortcodes
- Review contributor and author accounts for unauthorized or suspicious activity
- Consider temporarily disabling the plugin until a patch can be applied
Patch Information
Security patches for this vulnerability are tracked through the Wordfence Vulnerability Report. Users should update to a version newer than 2.7.6 as soon as one becomes available. Monitor the WordPress plugin repository for update notifications.
Workarounds
- Restrict contributor-level access on WordPress sites until the plugin is patched
- Remove or disable the Related Posts by Taxonomy plugin if it is not essential to site functionality
- Implement a Web Application Firewall with rules to filter XSS payloads in shortcode parameters
- Use WordPress capability management plugins to restrict shortcode usage for lower-privileged users
# Temporarily disable the plugin via WP-CLI
wp plugin deactivate related-posts-by-taxonomy
# Search for potentially malicious shortcode usage in posts
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%related_posts_by_tax%' AND post_content REGEXP '<script|javascript:|onerror|onload'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
