CVE-2025-11926: 
WordPress vulnerability analysis and mitigation

The Related Posts Lite plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-11926) discovered in October 2025. This vulnerability affects all versions up to and including 1.12. The plugin, which allows users to display related posts on their WordPress sites, is susceptible to XSS attacks through admin settings due to insufficient input sanitization and output escaping (NVD).

The vulnerability stems from improper input sanitization and output escaping in the plugin's admin settings. The issue occurs when administrator-level users can inject arbitrary web scripts that execute when users access the affected pages. The vulnerability has been assigned a CVSS v3.1 score of 4.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is specifically limited to multi-site installations and installations where unfiltered_html has been disabled (Wordfence).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject malicious web scripts that execute in the context of other users' browsers when they access the affected pages. This could potentially lead to session theft, defacement, or administrative actions via authenticated victims (Github PoC).

The plugin has been permanently closed as of August 29, 2025, and is no longer available for download. Users are advised to remove the plugin from their WordPress installations and seek alternative solutions for related posts functionality (WordPress Plugin).