CVE-2025-26545

CVE-2025-26545 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Related Posts Line-up-Exactly by Milliard (related-posts-line-up-exactry-by-milliard) that allows Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from n/a through 0.0.22 inclusive. It is associated with CWE-352 and has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network-based exploitation with low complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) by tricking an authenticated user, typically an administrator, into performing an unintended action via a malicious webpage or link (UI:R). This forged request injects and stores an XSS payload through the plugin's functionality, which executes in the browser context of subsequent users viewing affected pages, enabling potential theft of sensitive data like session cookies or further site compromise.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/related-posts-line-up-exactry-by-milliard/vulnerability/wordpress-related-posts-line-up-exactly-by-milliard-plugin-0-0-22-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-Stored XSS vulnerability in the Related Posts Line-up-Exactly by Milliard plugin version 0.0.22. Security practitioners should consult this reference for specific mitigation recommendations, such as applying available patches or removing the vulnerable plugin.