{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2986", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-22T17:08:03.100Z", "datePublished": "2026-04-18T11:16:10.980Z", "dateUpdated": "2026-04-20T14:19:06.323Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T11:16:10.980Z"}, "affected": [{"vendor": "ajay", "product": "Contextual Related Posts", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f59e069-a953-47b6-8106-55f55df722ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3481684/contextual-related-posts"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-04-17T21:46:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:18:54.573243Z", "id": "CVE-2026-2986", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:19:06.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2986", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:18:54.573243Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:18:59.227Z"}}], "cna": {"title": "Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ajay", "product": "Contextual Related Posts", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-17T21:46:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f59e069-a953-47b6-8106-55f55df722ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3481684/contextual-related-posts"}], "descriptions": [{"lang": "en", "value": "The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T11:16:10.980Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2986", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:19:06.323Z", "dateReserved": "2026-02-22T17:08:03.100Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-18T11:16:10.980Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2986", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-18T12:16:11.600", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3481684/contextual-related-posts"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f59e069-a953-47b6-8106-55f55df722ed?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.1]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "Contextual Related Posts", "source": "cna", "vendor": "ajay"}, "product": "contextual_related_posts", "vendor": "ajaydsouza"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-18T16:59:36.503684+00:00", "value": {"mitigation_remediation": ["Upgrade Contextual Related Posts to a version newer than 4.2.1 that removes the unsanitized \"other_attributes\" field.", "If an immediate upgrade is not possible, restrict contributor or higher roles to trusted users only or temporarily disable the plugin until a fix is applied.", "Deploy a web application firewall or use a security plugin that blocks or sanitizes XSS payloads in the \"other_attributes\" field to provide a temporary mitigation."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This issue affects the WordPress plugin Contextual Related Posts up to and including version 4.2.1. Sites that have installed any of those versions and have users with contributor or elevated roles are impacted. No other WordPress core components or plugins are listed as affected.", "description_and_impact": "The Contextual Related Posts plugin contains a stored cross\u2011site scripting flaw that allows an authenticated user with contributor or higher privileges to inject malicious JavaScript into the \"other_attributes\" field. Once a script is stored, it executes automatically whenever any user opens a page that displays the injected data, enabling session hijacking, defacement, or data exfiltration. The vulnerability is a classic case of insufficient input sanitization and output escaping, as identified by CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 suggests a moderate level of risk, and the EPSS score is not available, so exploitation likelihood cannot be quantified precisely. The vulnerability is not listed in CISA KEV, indicating no known broad exploitation at the time of reporting. Attackers can exploit the flaw locally by creating or modifying entries within the plugin. The stored nature of the payload means that once injected, the script runs for all visitors, providing a broad impact for the site owner."}}}}, "created": "2026-04-18T17:00:05.555935+00:00", "updated": "2026-04-20T14:45:08.999286+00:00", "vendors": ["ajaydsouza", "ajaydsouza$PRODUCT$contextual_related_posts", "wordpress", "wordpress$PRODUCT$wordpress"]}