CVE-2024-0602 in Yet Another Related Posts Plugin
Summary
by MITRE • 02/29/2024
The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The CVE-2024-0602 vulnerability affects the YARPP plugin for WordPress, specifically targeting versions up to and including 5.30.9. This represents a critical security flaw that exploits stored cross-site scripting vulnerabilities within the plugin's administrative settings interface. The vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms, creating a persistent threat vector that allows attackers to inject malicious scripts into the plugin's configuration pages. The flaw is particularly concerning because it requires only administrator-level privileges or higher to exploit, making it accessible to users with significant system control.
The technical implementation of this vulnerability occurs within the plugin's handling of user inputs in administrative contexts. When administrators modify plugin settings through the WordPress admin panel, the input validation processes fail to properly sanitize potentially malicious content. This allows attackers to inject JavaScript code or other malicious scripts that get stored within the plugin's configuration data. These stored scripts execute whenever any user accesses pages that contain the injected content, creating a persistent threat that can affect multiple users within the same WordPress installation.
The operational impact of this vulnerability extends significantly in multi-site WordPress installations where the plugin is actively used. The vulnerability specifically affects installations where the unfiltered_html capability has been disabled, which is a common security practice in well-configured WordPress environments. This means that organizations relying on WordPress multi-site configurations with restricted HTML capabilities are particularly at risk. The attack vector requires an authenticated attacker with administrator privileges, but once exploited, the malicious scripts can execute in the context of any user who accesses affected pages, potentially leading to session hijacking, data exfiltration, or further privilege escalation attacks.
This vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a classic example of stored XSS flaws that persist in web applications. The ATT&CK framework categorizes this as a technique involving code injection and privilege escalation, where attackers leverage administrative access to establish persistent malicious code execution. The vulnerability's impact is amplified in enterprise environments where WordPress installations serve as central content management platforms, potentially providing attackers with access to sensitive organizational data and systems.
Organizations should immediately update to the latest plugin version that addresses this vulnerability, as no patch information is available for versions beyond 5.30.9. Administrators should also conduct thorough security audits of their WordPress installations to identify any potential exploitation attempts, review access controls to ensure only authorized personnel have administrator privileges, and implement additional monitoring for unusual administrative activities. The vulnerability highlights the importance of proper input validation and output escaping mechanisms in web applications, particularly in content management systems where administrative interfaces handle user-provided data.