CVE-2021-24211 in Related Posts Plugin
Summary
by MITRE • 04/06/2021
The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/12/2025
The WordPress Related Posts plugin version 3.6.4 and earlier contains a critical authenticated stored cross-site scripting vulnerability that poses significant security risks to WordPress installations. This vulnerability exists within the plugin's settings page where the title field fails to properly sanitize user input, creating an opportunity for malicious actors to inject persistent JavaScript code. The flaw requires an attacker to possess administrator-level privileges or higher within the WordPress environment, making it an authenticated vulnerability that can be exploited by compromised admin accounts or those with elevated access rights.
The technical implementation of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's administrative interface. When administrators navigate to the settings page and enter malicious content into the title field, the plugin stores this input without proper sanitization. Subsequently, when other users with sufficient privileges view the settings page, the stored malicious JavaScript executes in their browser context, potentially leading to session hijacking, data exfiltration, or further compromise of the WordPress installation. This stored XSS vulnerability operates through the standard XSS attack vector where malicious code persists in the database and executes whenever the affected page is loaded.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable sophisticated attack chains that leverage the elevated privileges of administrative users. An attacker with admin access can craft malicious payloads that persist in the plugin's settings, allowing for long-term exploitation without requiring repeated authentication. The vulnerability affects all users who have access to the plugin's settings page, making it particularly dangerous in multi-user environments where administrators may not be fully aware of the potential for such persistent attacks. The stored nature of the vulnerability means that the malicious code continues to execute whenever the affected page is accessed, potentially compromising multiple users over extended periods.
Mitigation strategies for this vulnerability should focus on immediate patching of the WordPress Related Posts plugin to version 3.6.5 or later, which contains the necessary input sanitization fixes. Administrators should implement strict access controls and regularly audit user permissions to minimize the risk of unauthorized access to administrative functions. Network-level security measures such as web application firewalls can provide additional protection by detecting and blocking malicious input patterns. The vulnerability aligns with CWE-79 which addresses cross-site scripting flaws, and maps to ATT&CK technique T1059.007 for JavaScript execution within web applications. Regular security audits of WordPress plugins and themes, along with maintaining updated security practices, are essential for preventing similar vulnerabilities from compromising WordPress installations. Organizations should also consider implementing automated monitoring solutions that can detect anomalous behavior in administrative interfaces, providing early warning of potential exploitation attempts.